Skip to content
- Scammers now use physical letters to target crypto wallet owners.
- Fake urgency pushes victims to scan QR codes and visit phishing sites.
- Recovery phrases remain the final target for wallet theft.
According to the report, threat actors have launched a new crypto phishing method that relies on traditional mail instead of email. The campaign targets users of hardware wallets made by Trezor and Ledger.
The attackers send printed letters, and these letters are designed to resemble the kind of letters sent by security firms. The aim is still the same. The aim is to steal the recovery words and drain the funds. The victims receive these letters, and they are designed to look very official and urgent.
These documents use the layout and the language of security firms. These documents warn the victims about checks they need to undergo to access their wallets. The documents are designed to prompt the victims to act fast.
The documents have a QR code, and the code directs the victims to a fake website. These sites pressure victims into fake checks, threatening wallet features. The tactic forces quick decisions, increasing mistakes.
Past Crypto Breaches Exposed Wallet User Details
Investigators don’t know how attackers choose targets. Past Trezor and Ledger breaches exposed contact info, which attackers now use. Cybersecurity expert Dmitry Smilyanets provided an example of the letter the attackers are using, and it had the Trezor brand.
The letter informed the victims about the new mandatory requirement for enhancing the security of their accounts. The letter had a deadline set for early 2026 and asked the victims to scan the QR code to ensure uninterrupted service.
One online letter used the Ledger brand to scare victims into checking transactions. The attacker’s domain was later unavailable. For Trezor victims, the domain remained active with Cloudflare warnings. It gave instructions, device details, and purchase dates.
Fake Alerts Lead Users to Phishing Forms
After clicking the start button, users were given more warnings. The site said their transactions would be blocked if the errors weren’t corrected. It also said the update would fail. Each warning made users more stressed. After all this, the platform gave users a form to fill out. On the final page, it asked users to provide their recovery phrases.
The site accepted all word lengths. The site said it needed the phrase to verify ownership. This was not true, however. Once the site was given the phrase, the attackers were given complete access. They could import the wallet. They could also move the funds at any time. A recovery phrase is the master key to the wallet. Whoever controls the access controls the wallet.
Hardware wallet makers never ask for recovery phrases. Mail scams are rare but dangerous, like fake Ledger devices in 2021 and April. Users should ignore scams, verify information, and report them. Caution protects crypto.
Also Read: Bitcoin Slides to $60K as Tech Stocks Sink, Raising Fresh Store-of-Value Debate
