Snail Mail Letters Target Trezor and Ledger Users in Crypto-Theft Attacks
•February 14, 2026
0
Companies Mentioned
Why It Matters
The scheme threatens billions in crypto assets by compromising the only credential that controls wallet funds, highlighting a new vector that bypasses traditional email filters and exploits user trust in brand‑authentic communications.
Key Takeaways
- •Physical letters impersonate Trezor, Ledger to harvest recovery phrases
- •QR codes lead to fake setup sites impersonating Trezor/Ledger
- •Attack exploits past data breaches exposing customer contact info
- •Phishing page collects 12‑, 20‑, 24‑word seed phrases
- •Trezor and Ledger never ask recovery phrases through mail
Pulse Analysis
The recent wave of snail‑mail phishing targeting Trezor and Ledger users marks a notable escalation in crypto‑theft tactics. While email‑based lures dominate the threat landscape, attackers are now leveraging printed letters on authentic‑looking letterhead to bypass digital filters and exploit the trust users place in official brand communications. Both manufacturers have suffered data breaches that leaked contact details, providing a ready list of potential victims. This physical approach revives an older modus operandi—postal scams seen in 2021—but adds modern urgency through QR codes and fake deadlines.
The letters instruct recipients to scan a QR code that resolves to domains such as trezor.authentication‑check.io and ledger.setuptransactioncheck.com, both crafted to resemble legitimate setup pages. Once on the counterfeit site, victims encounter warnings about “Authentication Check” or “Transaction Check” becoming mandatory, creating pressure to enter their 12‑, 20‑, or 24‑word recovery phrase. The captured seed phrase is then transmitted to a backend API, allowing thieves to import the wallet and drain funds. By mimicking official branding and imposing tight deadlines, the campaign exploits both fear of loss and the habit of quick QR scans.
Users can mitigate the risk by remembering that Trezor and Ledger never request recovery phrases via email, SMS, or physical mail, and any legitimate firmware update is delivered through the device itself. Verifying URLs, using bookmarks, and checking SSL certificates are essential before entering seed data. Manufacturers have responded by flagging the phishing domains with Cloudflare and issuing public advisories, but the onus remains on users to adopt a zero‑trust stance toward unsolicited communications. As crypto adoption grows, we can expect more hybrid phishing campaigns that blend offline outreach with digital lures, underscoring the need for continuous security awareness.
Snail mail letters target Trezor and Ledger users in crypto-theft attacks
February 13 2026
Threat actors are sending physical letters pretending to be from Trezor and Ledger, makers of cryptocurrency hardware wallets, to trick users into submitting recovery phrases in crypto theft attacks.
These phishing letters claim recipients must complete a mandatory “Authentication Check” or “Transaction Check” to avoid losing access to wallet functionality, creating a sense of urgency to pressure victims into scanning QR codes that lead to malicious websites.
Snail‑mail QR‑code crypto scams
Hardware‑wallet users report receiving snail‑mail letters printed on letterhead that impersonate official communications from Trezor and Ledger security and compliance teams.
It is unclear what the targeting criteria are for these letters, but both Trezor and Ledger have suffered data breaches in the past couple of years that have exposed customer contact information.
A letter impersonating Trezor received by cybersecurity expert Dmitry Smilyanets claims that an “Authentication Check will soon become a mandatory part of Trezor,” warning users to complete the process by February 15, 2026, or risk losing functionality on their devices.
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026,” reads the fake Trezor letter.
“Note: While you may have already received the notification on your Trezor device and enabled Authentication Check, completing this process is still required to fully activate the feature and ensure your device is synchronized with the full functionality of Authentication Check.”
Physical phishing letter sent to Trezor users – Source: Smilyanets
A similar Ledger‑themed letter was shared on X, claiming a “Transaction Check” would soon become mandatory and warning users to scan a QR code to enable the feature by October 15, 2025, to avoid disruptions.
Scanning the QR codes leads victims to phishing sites impersonating official Trezor and Ledger setup pages, including:
-
https://trezor.authentication-check[.]io/ -
https://ledger.setuptransactioncheck[.]com/
At the time of writing, the Ledger phishing domain is offline, while the Trezor phishing site remains live but is now flagged by Cloudflare as a phishing site.
The Trezor phishing page displays a warning that users must complete an authentication check by February 15, 2026, stating:
“Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe 7, Trezor Safe 5, Trezor Safe 3, or Trezor Safe 1 after November 30, 2025. In that case, it is already pre‑configured, and no action is needed,” reads the phishing site.
“Authentication Check” landing page – Source: BleepingComputer
Clicking the “Get Started” button leads to another page that warns users that failure to complete the authentication process may result in limited or blocked access to Trezor, transaction‑signing errors, and disruption with future Trezor updates. These warnings are designed to create further urgency so victims continue to the next part of the setup process.
If victims proceed, they are taken to a final phishing page that asks them to enter their wallet recovery phrase. The page allows users to enter 24‑, 20‑, or 12‑word recovery phrases and claims that this information is required to verify device ownership and enable the authentication feature.
Phishing site attempting to steal recovery phrase – Source: BleepingComputer
Once entered, the recovery phrase is transmitted to the threat actor through a backend API endpoint at https://trezor.authentication-check[.]io/black/api/send.php. This allows attackers to import the victim’s wallet onto their own devices and steal funds from the wallet.
While phishing emails targeting Trezor and Ledger users are common, physical‑mail phishing campaigns remain relatively rare. In 2021, threat actors mailed modified Ledger devices designed to steal recovery phrases during setup. A similar postal phishing campaign was also reported in April targeting Ledger users.
Never share recovery phrases
Hardware‑wallet recovery phrases (seed phrases) are textual representations of the private keys that control access to cryptocurrency wallets. Anyone who has access to a wallet’s recovery phrase gains full control over the wallet and its funds.
Hardware‑wallet manufacturers such as Trezor and Ledger will never ask users to enter, scan, upload, or share their recovery phrase. Recovery phrases should be entered directly on the hardware‑wallet device when restoring a wallet, and never on a computer, mobile device, or website.
0
Comments
Want to join the conversation?
Loading comments...