Meet the Top 101 in Crypto
News
4 min read

Ledger and Trezor Users Security Alert: Seed Phrase Phishing Attempts Sent by Mail

Published 16 February 2026
Prashant Jha
Authors
Edited by Insha Zia

Key Takeaways

  • Scammers are mailing fake letters to Trezor and Ledger users.
  • They posed as official support and urging victims to visit phishing sites to enter seed phrases.
  • The letters use urgent deadlines and realistic branding to trick people into scanning QR codes that lead to malicious wallet verification pages.
  • Ledger’s history of breaches makes users prime targets.

In a sophisticated escalation of phishing tactics, scammers have started mailing physical letters to owners of Trezor and Ledger hardware wallets, impersonating official communications from these companies.

This campaign, which gained attention in early February 2026, exploits users’ trust in physical mail by using realistic branding, letterheads, and urgent language to coerce victims into revealing their 24-word recovery seed phrases.

Try Our Recommended Crypto Exchanges
Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Opened in 2017
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

How the Scam Works

The scam was first highlighted on X on Feb. 16.

Fraudsters pose as support teams, directing recipients to phishing websites designed to steal sensitive wallet information.

Letters typically claim that a “mandatory Authentication Check” or “Transaction Check” is required to maintain wallet functionality.

  • One Trezor-themed letter, shared by cybersecurity expert Dmitry Smilyanets, warned users to complete the process by Feb. 15, 2026. It claimed they would risk losing access if they failed to comply.

  • Ledger-themed letters urge recipients to scan QR codes for a “critical security update,” with deadlines ranging from October 2025 to February 2026.

Scanning these QR codes leads to fake sites mimicking official domains, such as “trezor.authentication-check.io” or “ledger.setuptransactioncheck.com,” prompting users to enter their recovery phrases.

Once submitted, attackers gain full control of the wallet and can drain all crypto holdings.

The letters even include advice to never share seed phrases online, building false credibility before directing users to malicious sites.

The physical nature of the letters adds perceived legitimacy, exploiting users’ trust in mailed correspondence.

Reports indicate these letters originate in the U.S. and target users whose personal data may have been exposed in prior breaches.

Past Incidents Amplify Risk

Ledger and Trezor have previously warned users about phishing and supply-chain attacks:

  • Ledger 2020 breach: Over 270,000 customer details, including emails, phone numbers, and physical addresses, were leaked.

  • Fake pre-seeded devices & 2021 mail scams: Attackers sent altered Ledger Nano X devices with embedded malware and letters from a fake CEO urging fund migration.

  • 2023 supply-chain attack: Hackers compromised Ledger’s Connect Kit software, affecting Ethereum-based DApps like SushiSwap and Balancer, resulting in over $600,000 in stolen assets.

These incidents show how historical data leaks and prior attacks create opportunities for fraudsters to target hardware wallet users.

Prevention Strategies

To counter this and similar threats, users must adopt robust security practices.

First, verify all communications: legitimate companies like Ledger and Trezor contact you only via official channels and never ask for seed phrases. 

If a letter arrives unexpectedly, cross-check with the company’s support site, Ledger’s phishing status page lists active scams, including this mail variant.

Avoid scanning QR codes or visiting linked sites; instead, manually navigate to official domains.

Store seed phrases offline and never enter them digitally.

Use hardware wallets as intended for cold storage, and enable two-factor authentication where possible.

Monitor for signs of compromise, such as unusual wallet activity, and report suspicious mail to authorities or the wallet providers. 

Communities on platforms like Reddit and X have shared scans of these letters, helping others identify fakes.

For added protection, consider air-gapped setups or multi-signature wallets to distribute risk.

This scam underscores the evolving nature of crypto threats, blending old-school tactics with digital deception.

By staying informed and skeptical, users can safeguard their assets as adoption grows.

Prime Targets

Hardware wallets remain prime targets due to the high value of stored crypto.

The new snail mail phishing campaign is a reminder that even offline communications can be weaponized.

Users must remain vigilant, verify every request, and follow best practices for cold storage to protect their funds from increasingly sophisticated attacks.

Prashant Jha

Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.

His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.

Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status