More than four months after Ledger first flagged the tactic, scammers continue to target wallet owners with fake mail directing recipients to phishing sites.
The company now lists physical mail as the top scam threat users should be aware of, ahead of phone calls, scam NFTs, and fake social media accounts.
Instances of the Ledger QR scam follow the same basic template.
Targets receive a letter in the mail designed to look like official communication. The document makes up a bogus reason hard wallet users need to visit a website, typically linked via a QR code, which helps obscure the suspicious address.
Several variations on the theme have been observed. One of the first letters that surfaced in April states that “a critical security update requires your immediate attention.”
A month later, Ledger shared an example that said users must “validate” their wallet by scanning the QR code.
In a bid to unsettle victims, Ledger scam letters attempt to create a sense of urgency.
“Failure to complete this mandatory validation process may result in restricted access to your wallet,” one warns.
Another, which the recipient shared online recently, states: “To avoid any disruption to your Ledger Live access, please scan the QR code.”
Like other phishing schemes that target Ledger users via email, phone call, or malicious web links, the end-goal of physical mail scams is to capture victim’s seed phrases.
These recovery phrases are unique mnemonics that hardware wallets derive from blockchain private keys. Ledger recommends wallet users keep a physical, offline copy of their seed phrase somewhere safe in case their physical device is lost or damaged.
Addressing the threat of scam letters, Ledger stresses that “there is no good reason to type your phrase into a computer.”
“Anyone that has your recovery phrase has full access to any account that has been created using it,” the company warns.