Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases

Physical phishing represents a new frontier in crypto fraud, as attackers move beyond email and social media to exploit the trust associated with official correspondence. By crafting letters that mimic Ledger’s branding and inserting a QR code that leads to a replica recovery‑phrase portal, criminals combine social engineering with a tangible delivery method. The use of localized language—such as the Italian version seen in recent reports—suggests they have harvested customer data, possibly from the January 2026 Global‑e breach, allowing them to target users with precise, region‑specific details.

The mechanics of the scam are straightforward yet devastating: victims scan the QR code, land on a phishing site, and are prompted to enter their 24‑word seed phrase. Once entered, the phrase grants full control over the wallet, enabling immediate draining of assets. This underscores a core principle of hardware‑wallet security: the recovery phrase must never be disclosed, regardless of how authentic a request appears. The "Quantum Resistance" narrative adds a layer of urgency, preying on users’ concerns about future quantum‑computing threats, while the faux CTO signature lends false credibility.

Ledger’s public advisory and the broader industry response emphasize education and data hygiene. Users should treat any unsolicited request for a seed phrase—whether digital or physical—as fraudulent, and should verify communications through official channels only. Companies must tighten data handling practices with partners to prevent leaks that fuel such campaigns. As physical phishing gains traction, its impact could erode confidence in crypto custodial solutions, making proactive security awareness essential for both investors and service providers.