TL;DR
- A mail-based phishing scam campaign is targeting users of Ledger and Trezor hardware wallets, attempting to trick recipients into revealing their seed phrases via fake verification websites.
- The scam is likely leveraging contact data exposed in the 2020 Ledger data breach, highlighting the long-term risks of customer information leaks in the crypto industry.
A seed phrase phishing scam is targeting Ledger and Trezor hardware wallet owners through professionally printed letters sent to their homes. The letters impersonate official security notices and instruct recipients to “verify” their wallets by scanning a QR code or visiting a website.
Security researchers say the operation is a targeted phishing attack extracting recovery phrases from unsuspecting hardware wallet owners. Once the user enters the seed phrase on a fraudulent site, attackers can immediately access and drain the associated crypto wallet.
How the Scam Works
Victims report receiving a phishing letter that appears to reference a recent Ledger security update. The document includes company logos, formal language, and a reference number to create legitimacy.
The letter directs users to a website that closely resembles an official support page. There, recipients are prompted to complete what is presented as a mandatory verification process. In reality, scammers are phishing for seed phrases. Entering the recovery phrase grants full control of the wallet to the attacker.
Reports describe similar tactics used in a parallel phishing scam targeting Trezor users. In both cases, the hardware devices themselves remain uncompromised. The attack relies entirely on social engineering.
Link to Past Data Leaks
The mail campaign has renewed attention on a 2020 Ledger data breach, which exposed customer contact information, including physical addresses. Although the breach did not compromise private keys or recovery phrases, the leaked data created a long-term targeting risk.
By using postal mail instead of email, attackers increase credibility and bypass common digital spam filters. The approach suggests that previously leaked customer data is being repurposed for highly targeted fraud attempts.
There is no indication that the current campaign involves a new breach. Instead, the scam appears to leverage historical data to identify potential victims.
>>> Related: Ledger Data Breach Linked to Third-Party Global-e Incident
Broader Security Context
Phishing attempts targeting crypto users have evolved across multiple channels. Email campaigns, social media impersonation, and now physical mail have all been used to trick users into revealing sensitive information.
Hardware wallet providers consistently state that they will never request a recovery phrase through email, phone, or postal correspondence. The security model of hardware wallets depends on keeping the seed phrase offline and private at all times.
User Warning
Users should ignore unsolicited letters requesting wallet verification or security updates. This mail-based scam targeting Ledger and Trezor users succeeds only when someone enters their seed phrase on a fraudulent website.
Anyone who receives suspicious correspondence should verify announcements directly through official company websites. Protecting your recovery phrase remains the single most important defense against wallet compromise.
