Cybercriminals have launched a new wave of cryptocurrency phishing attacks by sending physical letters to users of Trezor and Ledger hardware wallets. The fraudulent mail is designed to trick recipients into revealing their wallet recovery phrases, ultimately enabling attackers to steal digital assets.
QR Code Scam Delivered by Post
Unlike traditional email phishing, this campaign relies on printed letters that appear to be official communications from Trezor and Ledger security or compliance teams. The letters instruct recipients to complete a so-called mandatory “Authentication Check” or “Transaction Check” to prevent disruptions to their wallet functionality.
Victims are urged to scan a QR code included in the letter, which redirects them to malicious phishing websites impersonating legitimate wallet setup pages. The language in the letters creates urgency, warning users that failure to comply by a specified deadline could result in restricted access or disabled wallet features.
Although the exact targeting criteria remain unclear, both Trezor and Ledger have experienced data breaches in recent years that exposed customer contact information. This may have enabled threat actors to identify potential victims.
How the Phishing Operation Works
A fake Trezor letter received by cybersecurity expert Dmitry Smilyanets claimed that an “Authentication Check” would soon become mandatory and must be completed by February 15, 2026. It instructed recipients to scan a QR code and follow the steps to activate the feature.
Source: Smilyanets
Similarly, a fraudulent Ledger letter warned users to complete a “Transaction Check” by October 15, 2025, to avoid interruptions.
The QR codes direct victims to phishing domains such as:
https://trezor.authentication-check[.]io/
https://ledger.setuptransactioncheck[.]com/
At the time of reporting, the Ledger phishing site had gone offline, while the Trezor-themed phishing page remained accessible but flagged as malicious.
The fraudulent Trezor webpage claims users must complete the authentication setup unless they recently purchased specific wallet models after a certain date.
Clicking “Get Started” leads to additional warnings about blocked access, transaction signing errors, and future update disruptions. These scare tactics are intended to pressure victims into continuing the process.
The final step of the attack requests the wallet’s 12, 20, or 24-word recovery phrase under the pretense of verifying device ownership.
Source: BleepingComputer
Once entered, the recovery phrase is transmitted to the attackers through a backend API endpoint at:
https://trezor.authentication-check[.]io/black/api/send.php
With access to the seed phrase, attackers can import the wallet onto their own devices and transfer funds without the victim’s consent.
Postal Phishing, A Growing Threat
Source: BleepingComputer
While phishing emails targeting cryptocurrency users are widespread, physical mail phishing campaigns remain relatively uncommon. However, similar incidents have occurred before. In 2021, modified Ledger devices were mailed to victims to harvest recovery phrases during setup. Another postal phishing campaign targeting Ledger users was reported earlier this year.
Never Share Your Recovery Phrase
A recovery phrase, also known as a seed phrase, represents the private keys controlling access to a cryptocurrency wallet. Anyone who obtains this phrase gains full control over the associated funds.
Hardware wallet providers such as Trezor and Ledger will never request users to share, upload, scan, or enter recovery phrases online. Recovery phrases should only be entered directly on the hardware wallet device itself when restoring access. They should never be typed into websites, mobile apps, or computers.
As crypto phishing attacks evolve, users must remain cautious, especially when unexpected communications demand urgent action involving wallet credentials.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
