Warning: Postal phishing targets Ledger and Trezor users offline

Scammers are now targeting cryptocurrency users with physical phishing letters impersonating Trezor and Ledger, urging recipients to scan QR codes and submit wallet recovery phrases. The letters claim urgent “security checks” and redirect victims to fake setup sites designed to steal funds. The campaign highlights a dangerous evolution in crypto scams, moving beyond email into real-world mailboxes.

Physical Crypto Phishing Is On The Rise

A new phishing campaign is targeting hardware wallet owners through snail mail letters that appear to come from legitimate manufacturers like Trezor and Ledger. Instead of email links, these scams rely on official-looking letterhead, fake compliance warnings, and QR codes linking to malicious websites.

The goal is to create urgency and bypass users’ typical phishing defenses. Unlike traditional crypto scams, this one feels more trustworthy because it arrives in a physical envelope, increasing the chance that victims take it seriously.

Fake ‘Security Checks’ Are The Bait

The letters warn users about mandatory security upgrades such as ‘Authentication Check’ (Trezor-themed) or ‘Transaction Check’ (Ledger-themed). 

Victims are told they must complete the process by a specific deadline or risk losing wallet functionality, transaction signing failures, and future compatibility issues. This urgency is intentional, as it pressures users into scanning the QR codes without verifying legitimacy.

How The Scam Actually Works

Once scanned, the QR codes lead victims to phishing websites that closely mimic official Trezor and Ledger setup pages. 

The attack flow typically follows steps that include a user scanning the QR code, a fake site claiming urgent setup is required, the victim clicking ‘Get Started,’ and the final page requesting the recovery phrase.

The phishing pages accept 12-word, 20-word, and 24-word recovery phrases. Once entered, the data is sent directly to attackers, who can instantly take control of the wallet.

Why Hardware Wallet Users Are Being Targeted

Hardware wallet users are often seen as high-value targets because they typically hold larger balances and follow stronger security practices. Attackers are likely exploiting past data breaches exposing customer addresses, public hardware wallet ownership data, or leaked marketing databases.

Both Trezor and Ledger have experienced data leaks in the past, which exposed customer contact details and may have enabled this campaign.

Why This Scam is Especially Dangerous

Physical phishing is rare, and that’s exactly what makes it effective. Most crypto industry participants are trained to avoid suspicious emails, unknown links, and random DMs. But physical letters feel more legitimate, bypass spam filters, and exploit real-world trust.

This psychological shift dramatically increases success rates compared to traditional phishing.

Hardware Wallets Are Still Safe, But User Mistakes Aren’t

It’s important to note that hardware wallets themselves are not compromised in this attack. Instead, the scam relies entirely on social engineering, fear tactics, creating a sense of urgency, and user error.

Once a recovery phrase is revealed, even the most secure hardware wallet can’t prevent theft, as seed phrases represent full ownership of funds.

A Reminder: Recovery Phrases Should Never Be Shared

Crypto security experts and hardware wallet manufacturers repeat one rule above all, and that’s no legitimate company will ever ask for your recovery phrase.

Seed phrases should only ever be entered directly on the hardware wallet device, during wallet recovery, and offline. They should never be typed into websites, shared via email or phone, or scanned through a QR code. Any request to do so is almost certainly a scam.

What Crypto Users Should Do Now

So, if you receive a letter claiming to be from Trezor or Ledger, don’t scan any QR codes, don’t visit the listed websites, never enter your seed phrase, and verify updates directly via official sites.

If you already scanned a QR code but didn’t enter your seed phrase, your funds are still safe. However, if you entered your recovery phrase, you should immediately transfer funds to a new wallet with a new seed phrase.

A New Phase in Crypto Phishing

Though phishing emails targeting crypto users are common, postal phishing campaigns remain relatively rare, making this development particularly concerning.

Security researchers warn that this trend could grow as attackers experiment with hybrid online/offline scams, AI-targeting, and multi-channel phishing strategies. If successful, physical phishing could become a recurring tactic in future crypto fraud campaigns.

Bottom Line

All things considered, crypto scams are evolving, and this latest campaign proves attackers are willing to leave the digital world behind to target victims. Even hardware wallet users, often considered the most security-conscious segment of crypto, are not immune to social engineering attacks.

As always in crypto, security ultimately comes down to one rule: If someone asks for your recovery phrase, it’s a scam.

More Must-Reads:

• New Crypto Scams That Don’t Break Anything
• $4 Billion wiped by Crypto Scams and Hacks in 2025
• $455 Billion in Bitcoin Exposed to Quantum Attack Risk via Address Reuse, Up 16% Since 2020