Hardware Wallet Owners Hit With Snail Mail Phishing Campaign

• Crypto hardware wallet users are receiving fake postal letters posing as Trezor and Ledger, using official branding, holograms, and QR codes to redirect victims to phishing sites.
• The scam copies security upgrade notices and deadlines, pushing users to scan codes and “activate” fake checks to avoid wallet access limits.
• Security experts say attackers are using old breach data and expanding beyond email into physical mail, SMS, and spoofed apps to increase success rates.

Crypto hardware wallet owners are now receiving fraudulent letters impersonating Trezor and Ledger, complete with holograms, forged executive signatures, and QR codes engineered to steal their digital assets.

On Friday, cybersecurity expert Dmitry Smilyanets flagged the scam on X, posting a Trezor-branded letter, calling out its unsettling production quality.

The Trezor letter, with a signature attributed to the CEO of its rival Ledger and a U.S. postmark, exposed the scammers sloppiness beneath an otherwise polished façade.

“Stay safe out there, everyone. We‘ll never contact you first. Never share your wallet backup with anyone. Always check the official channels only and double-check everything. Don’t trust. Verify,” Trezor responded to Smilyanets tweet.

According to copies shared online, the fake Trezor-branded letter claims a new “Authentication Check®” feature will soon become mandatory and instructs users to scan a QR code to activate it by a set deadline or risk limited access to wallet software.

A separate Ledger-themed letter circulating since last October used similar language around a mandatory “Transaction Check” and also pushed recipients to scan a QR code.

Scammers are likely drawing on years of documented data breaches at both companies, attacks that exposed email addresses, home addresses, phone numbers, and proof of hardware wallet ownership.

Cybercrime consultant David Sehyeon Baek told Decrypt the move to physical mail is a deliberate psychological escalation, one that exploits instincts built over decades.

“Postal mail hits people differently, especially wallet users, because it feels like the threat has left the internet and entered your real life,” he said. “An email can be dismissed as spam, but a letter with your name and home address basically signals, ‘we can locate you,’ and that triggers a much stronger safety reaction.”

“It also borrows credibility from the postal system—most of us grew up associating mailed notices with banks, government, and utilities, so a clean letterhead and formal tone can feel more official than a random inbox message,” he added.

“Data leaked 10 years ago can still be useful today—how often do people change their mobile numbers or home addresses？ Not so often,” Baek told Decrypt, saying exposed data is “sticky” and lets breach-linked profiles drive targeted scams for years across email, phone, and physical mail.

He added that crypto‘s privacy protections are often overstated, noting that “it’s not truly anonymous, its pseudonymous,” and that once a wallet is tied to a real person, “the whole transaction history becomes very traceable.”

“Hardware wallet providers like Ledger and Trezor have limited ability to stop the phishing flows directly, because the phishing happens outside the device—inside the users browser,” Alex Katz, CEO and founder of cybersecurity firm Kerberus, told Decrypt.

Hardware wallet data breaches

Ledger and Trezor have faced multiple third-party data incidents in recent years, including Ledgers 2020 e-commerce breach exposing over one million emails and thousands of physical addresses and phone numbers, plus a breach at its e-commerce partner reported last month affecting order data.

Trezor also saw user contact data exposed through a 2022 MailChimp insider incident and a later third-party support portal breach affecting roughly 66,000 users, triggering ongoing phishing campaigns.

Crypto users still have to “KYC regularly to use centralized exchanges,” Katz noted, and those databases can be breached, with some incidents disclosed only later, meaning “theres always something leaking somewhere.”

He added that users should assume theyre continuously being targeted. “Attackers will keep combining channels like physical mail, SMS, and spoofed apps because it increases credibility and conversion. Not only in 2026—but going forward in general,” Katz said.

Decrypt has reached out to Trezor and Ledger for comment.