Crypto Hackers Target Users with Fake Trezor and Ledger Letters

Hackers are sending out counterfeit letters impersonating Trezor and Ledger, aiming to steal recovery phrases for cryptocurrency wallets.

• The fraudulent letters include phishing QR codes purportedly from Trezor and Ledger.
• Users are tricked into providing their recovery phrases, granting hackers complete access to their wallets.
• Reputable hardware wallet companies never request users to disclose their seed phrases.

These phishing schemes often state that recipients need to complete an “authentication check” or “transaction check,” adding a deceptive layer of urgency.

A particularly alarming tactic involves emphasizing a fabricated deadline of February 15, 2026, for Trezor users. The fake letters, designed to look official, prompt users to scan a QR code that directs them to a malicious site.

These phishing sites request a 24-, 20-, or 12-word recovery phrase under the guise of device verification.

Any recovery phrase entered is sent to attackers via a backend API, which gives them full control over the user’s wallet and funds.

Both Trezor and Ledger have experienced data breaches in the past, which exposed some customer information.

Urgency Tactics in Phishing Sites

Cybersecurity expert Dmitry Smilyanets recently received a fraudulent Trezor letter, warning that his device would lose functionality if he didn’t complete the authentication process.

The letter urged, “To ensure uninterrupted access to Trezor Suite, please scan the QR code with your mobile device and follow the instructions on our website.”

Phishing sites often display alarming alerts about potential access restrictions and transaction signing errors.

A similar letter with Ledger branding was shared online, falsely claiming that transaction checks would become mandatory.

The phishing page allows users to input their recovery phrases in various formats and misleadingly asserts that this confirms device ownership and enables authentication features.

After the victim submits their recovery phrase, the information is sent to the phishing site, allowing the attacker to import the wallet onto their own device and deplete its funds.

The urgency is heightened by claims that devices purchased after November 30, 2025, will be preconfigured, pressuring earlier purchasers to act swiftly.

Proper Security Practices for Hardware Wallet Users

Email phishing schemes targeting hardware wallet users are relatively uncommon. In 2021, some crypto hackers sent out modified Ledger devices designed to extract recovery phrases during setup. A similar phishing campaign aimed at Ledger users was reported back in April.

Anyone with access to the recovery phrase will have full control over the associated wallet and its funds. Trezor and Ledger will never request users to enter, scan, upload, or share their recovery phrases through any channel.

When restoring a wallet, users should only enter their recovery phrase directly on the hardware device, avoiding computers, mobile devices, or websites.

The exact targeting criteria for these physical letters remains uncertain. However, previous data breaches have exposed customer email addresses and contact information, leaving users vulnerable to potential attacks.