A new scam campaign is targeting users of Ledger and Trezor hardware wallets with paper letters sent to their homes, enticing them to scan a QR code to access a fake site and steal the recovery phrase, thereby gaining full control of the crypto assets.
The tactic exploits the “urgency” mentality with deadlines and mandatory checks. Users need to understand: just one incorrect entry of the recovery phrase can lead to all cryptocurrency in the wallet being withdrawn.
MAIN CONTENT
The scammer sent a fake paper letter pretending to be Ledger/Trezor, requesting a “mandatory check” and directing the user to scan a QR code.
The QR code leads to a phishing website, aimed at collecting the recovery phrase to take control of the wallet and withdraw funds.
Ledger/Trezor never asks for the recovery phrase; this phrase should only be entered directly on the hardware wallet device.
Ledger and Trezor users are being attacked with paper letters containing fake QR codes.
Scammers send physical letters to users' homes, impersonating the “security/compliance” team of Ledger or Trezor and requesting to scan a QR code for verification, ultimately aiming to trick victims into providing their recovery phrase.
These letters are printed on letterhead that looks like official notifications. The content usually states that users must complete “verification” or “transaction checks” to avoid losing some functions or access to the wallet management application.
The dangerous point is that paper letters create a feeling of being “more trustworthy” than spam emails. The scammer designs the scenario in an internal procedure style, using terms like “Authentication Check,” “transaction check” to increase legitimacy and prompt immediate action from the recipient.
It is unclear how they select victims, but both companies have faced data leak incidents. Past information leaks may allow bad actors to have more data to send letters to the right address, targeting the correct user group.
The scam letter imposes a deadline of 15/02 to create psychological pressure.
The scam letter sets a deadline of 15/02 and warns of losing functionality if not completed, aiming to create time pressure for victims to scan the QR code and follow instructions without enough time to verify authenticity.
According to the content of the letter sent to Trezor users, the scammer claims that “verification checks” will become mandatory and requests completion before 15/02 to avoid losing some functions, while also citing the need for “full synchronization” with Trezor Suite.
A similar letter targeting Ledger users has also been shared on platform X, describing a “mandatory transaction check” with the same deadline. The common motif is to present an ambiguous but scary “penalty,” triggering an immediate response.
For example, the Trezor letter cited in the article includes a link: a screenshot of the letter's content on X. This link helps users recognize the typical presentation style and tone of voice commonly seen in the campaign.
Scanning the QR code will lead to a phishing website impersonating the Ledger/Trezor domain.
The QR in the letter leads victims to fake websites, mimicking the Ledger/Trezor interface and displaying a “mandatory” warning to lure users into entering their recovery phrase, then sending the data back to the scammer's server.
Reports indicate that the phishing page targeting Ledger has gone offline, while the page targeting Trezor was still active and has been flagged as a scam by browsers/security providers. Warnings from Chrome often state that the attacker may trick you into installing software or disclosing sensitive information.
Before being flagged, this fake page displayed a message requiring completion of the “authorization check” before 15/02 for “safety.” It also made exceptions for certain wallet models, claiming they were “pre-configured” to make the content appear more detailed and trustworthy, although the goal remained to lead users to the seed phrase entry step.
The landing page often has buttons like “Get Started” to push users into the next flow, along with a warning of “verification failure” if not completed. This is a technique to gradually increase urgency, causing victims to overlook unusual signs.
The fake page requests that you enter the recovery phrase and sends data to the scammer via API.
When the victim enters the recovery phrase on the fake page, this phrase will be sent to the scammer (often through an API in the background), allowing them to recover the wallet on another device and withdraw all cryptocurrency.
The process is often disguised as “device ownership verification” or “feature activation.” But technically, the recovery phrase is the “key” to recreate the private key, so anyone with this phrase can gain control of the wallet.
After obtaining the seed phrase, the bad actor does not need your physical device. They can enter the phrase into another software/hardware wallet, sign transactions, and transfer assets to an address they control. Since blockchain transactions are hard to reverse, the chances of recovery are often very low.
Safety principle: Ledger and Trezor never ask for the recovery phrase.
Ledger and Trezor never ask users to provide their recovery phrase; the recovery phrase should only be entered directly on the hardware wallet device, not on websites, QR codes, emails, or forms.
The recovery phrase is a way for users to back up access to their wallet. It represents control over the private key, so sharing this phrase means giving away the entire wallet to someone else.
If you receive a letter/email/call requesting your seed phrase, consider it a scam. Additionally, be wary of urgent deadline messages, requests for “mandatory checks,” or instructions to scan QR codes to “synchronize” the wallet.
Minimum safety practices: do not scan QR codes from unverified sources, type the website address from official sources, and only perform confirmation/recovery directly on the hardware wallet device screen. If you have entered the seed phrase, consider that wallet compromised and transfer assets to a new wallet with a new seed phrase as soon as possible.
Frequently Asked Questions
Is the paper letter requesting to scan a QR code to “verify the wallet” a genuine notification from Ledger/Trezor?
No. This is a typical sign of a scam: a fake letter, creating a sense of urgency and leading you to scan a QR code to a fake website to obtain the recovery phrase.
Why can losing the recovery phrase mean losing all cryptocurrency?
The recovery phrase can be used to recover the wallet elsewhere and create control over the private key. Anyone who possesses this phrase can sign transactions and transfer assets without your device.
If you have scanned the QR code and entered the recovery phrase, what should you do immediately?
Consider the old wallet compromised. Create a new wallet with a new recovery phrase on a trusted device, then transfer all assets to the new wallet address as soon as possible.
How to identify a phishing website impersonating Ledger/Trezor?
These pages often require you to enter the seed phrase, impose deadlines, warn of lost functionality, and use the “Get Started” button to pressure you to continue. Ledger/Trezor does not require the seed phrase on their website.
