- Scammers are mailing fake Trezor and Ledger notices to hardware wallet owners, using QR codes and old breach data to steal crypto funds
- Experts say leaked contact details remain useful for years, and that phishing now blends postal mail, email, SMS, and spoofed apps
Owners of a hardware wallet from major crypto brands are now being targeted through carefully crafted physical letters that impersonate Trezor and Ledger. These mailings use official-looking branding, holograms, forged signatures, and QR codes designed to capture wallet backups and drain digital assets, according to cybersecurity specialists who have shared examples online.
Hardware wallet phishing moves from email to physical mail
The latest scheme came to wider attention on Friday, when cybersecurity expert Dmitry Smilyanets posted an image on X of a letter styled as official Trezor correspondence. The document carried Trezor branding and a U.S. postmark and was produced with a level of polish that, at a glance, could pass for a legitimate notice. Yet the letter also contained a glaring inconsistency: the signature block named the CEO of Ledger, Trezor’s competitor, exposing an error beneath the otherwise refined design.
Trezor responded publicly to Smilyanets’ post, stressing that the company would not initiate unsolicited contact and urging users to avoid sharing wallet backups, to rely on official channels, and to verify any communication. That message echoed long-standing guidance around phishing, but the medium in this case—printed letters delivered to home addresses—marks a departure from the email and web-based tactics more commonly associated with crypto scams.
Copies of the Trezor-themed letter shared online show that it claims to announce a feature called “Authentication Check®,” described as a forthcoming mandatory security step. Recipients are directed to scan an enclosed QR code to enable this function by a stated deadline, under the warning that failure to do so could restrict access to wallet software. A parallel letter template using Ledger branding, seen in circulation since last October, refers instead to a “Transaction Check,” but follows the same pattern: an apparent requirement framed as a safety upgrade, tied to a QR code that leads victims into the phishing flow.
Cybercrime consultant David Sehyeon Baek told Decrypt that the use of postal mail represents a deliberate escalation by the attackers. He argued that a hardware wallet user receiving a personalized letter at home may feel that the threat has shifted from an abstract online risk to something that intrudes into their offline life, because the sender demonstrates knowledge of their name and address. According to Baek, this sense that “we can locate you” can provoke a stronger emotional reaction than a routine spam email and may push some recipients to engage without the same caution.
Data breaches and long-lived exposure risks
The attackers appear to be exploiting information exposed in earlier data breaches involving both Ledger and Trezor. Over the past several years, both hardware wallet providers have reported incidents where third-party services handling customer information were compromised. Data points such as email addresses, names, home addresses, phone numbers, and evidence of hardware wallet purchases have been leaked and later used in targeted phishing waves.
Ledger disclosed a significant e-commerce breach in 2020 in which more than one million email addresses were exposed, along with thousands of physical addresses and phone numbers. The company also reported last month that an e-commerce partner had suffered its own incident affecting order data. Trezor users were affected by a 2022 MailChimp insider event that revealed contact details, followed by a separate breach of a third-party support portal that impacted roughly 66,000 customers. Those disclosures have been accompanied by repeated warnings about follow-on phishing attempts.
Baek described leaked personal data as “sticky,” noting that information obtained years earlier can still be exploited in new attack formats. He pointed out that many people rarely change elements such as mobile phone numbers or physical addresses, allowing criminal groups to maintain reliable profiles over long periods. That persistence of identity markers enables campaigns that jump between channels—from email to SMS and now to physical mail—while still relying on the same underlying contact lists built through earlier compromises.
He also challenged the notion that crypto operates in a fully anonymous space. In his view, blockchain transactions are better described as pseudonymous, and once a specific wallet is connected to a real-world identity through KYC records or leaked customer data, the associated transaction history can be traced and monitored. That linkage, he suggested, increases the potential impact of any database breach touching hardware wallet buyers or centralized exchange customers.
Limits of provider control and ongoing phishing pressure
Experts interviewed by Decrypt noted that hardware wallet manufacturers have limited direct control over many of the attack vectors now being used against their customers. Alex Katz, CEO and founder of cybersecurity firm Kerberus, explained that phishing activity generally takes place outside the secure environment of the device itself, often within the user’s browser or via external links embedded in emails, SMS messages, or QR codes. Because of this, even a well-designed hardware wallet cannot block fraudulent websites or malicious links that a user chooses to access.
Katz also highlighted the role of ongoing identity verification requirements across the broader crypto ecosystem. Users commonly complete KYC checks to participate in centralized exchanges, and those platforms store sensitive personal data. According to Katz, such databases can be, and have been, breached, with some incidents only coming to light after the fact. This means information about hardware wallet owners may originate from sources beyond Trezor or Ledger’s own systems, adding more potential leakage points.
Given this landscape, Katz argued that users should operate on the assumption that they are consistently being targeted and that attackers will continue to refine multi-channel strategies. He expects to see continued blending of physical mail, SMS, spoofed apps, and web pages in order to increase credibility and, in turn, the number of victims who comply with fraudulent instructions. In his assessment, this trend is not restricted to 2026 but is likely to define phishing activity “going forward in general.”
The physical letters impersonating Trezor and Ledger illustrate this shift. By combining detailed branding elements with references to plausible-sounding security features, including terms such as “Authentication Check®” and “Transaction Check,” the scammers aim to persuade hardware wallet owners that the requests are routine and necessary. The use of a deadline introduces a sense of urgency, while the QR code offers a simple, familiar action that can lead directly to a phishing site without requiring recipients to type a URL.
Conclusion
The emergence of high-quality, Trezor- and Ledger-branded letters targeting hardware wallet owners underscores how data breaches and long-lived personal information can fuel evolving phishing tactics. With offenders now turning to physical mail that leverages postal credibility and personal details, experts say users should assume persistent exposure and treat any unexpected request—whether by email, SMS, or letter—as suspect until verified through official channels. While device makers can secure the hardware itself, they have limited reach over the external environments where phishing unfolds, leaving vigilance by wallet holders as a key line of defense.
Disclaimer
The information provided in this article is for informational purposes only and should not be considered financial advice. The article does not offer sufficient information to make investment decisions, nor does it constitute an offer, recommendation, or solicitation to buy or sell any financial instrument. The content is opinion of the author and does not reflect any view or suggestion or any kind of advise from CryptoNewsBytes.com. The author declares he does not hold any of the above mentioned tokens or received any incentive from any company.
Featured image created by AI
