- Physical letters and QR codes boost scam credibility, bypassing email filters easily.
- Fake security checks using Trezor and Ledger branding lure users to share recovery phrases.
- Attackers gain full wallet control once recovery phrases are entered on cloned setup sites.
Criminal groups have launched a new wave of cryptocurrency scams by sending physical letters to hardware wallet owners. The letters impersonate trusted brands and pressure recipients to act quickly. Instead of email phishing, attackers now rely on printed mail and QR codes.
Consequently, victims may trust the message because it arrives in a formal envelope. Security researchers warn that this tactic increases credibility and lowers suspicion. The campaign primarily targets users of Trezor and Ledger devices.
Fraudulent “Authentication” and “Transaction” Checks
The letters claim users must complete mandatory security checks to avoid losing wallet access. Some notices reference an “Authentication Check,” while others promote a “Transaction Check.”
Besides urgent deadlines, the letters warn about device disruption and restricted functionality. The QR codes direct victims to websites that closely mimic official wallet setup pages.
Investigators identified domains such as trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. Although one phishing domain went offline, others remain active or recently operated. The fake pages request recovery phrases under the pretense of verifying ownership. Moreover, the sites display countdown deadlines to pressure victims into quick action.
Security experts suspect that earlier data breaches may have exposed customer mailing details. Both Trezor and Ledger experienced past leaks involving user contact information. Hence, attackers may rely on those records to personalize letters and target specific households. However, officials have not confirmed the exact source of the mailing lists.
How the Scam Steals Crypto Funds
Once victims land on the phishing page, the site asks for a 12-, 20-, or 24-word recovery phrase. The page claims the phrase enables device synchronization and feature activation. In reality, the attackers capture the phrase through a backend API. Consequently, they gain full control over the wallet and its funds.
Recovery phrases represent the master keys to cryptocurrency wallets. Anyone who obtains them can import the wallet onto another device. Significantly, no hardware wallet company ever requests recovery phrases through websites or mail. Users should only enter recovery phrases directly on the physical device during restoration.
Staying Safe From Postal Phishing
Cybersecurity specialists urge wallet owners to ignore unsolicited letters demanding urgent action. Additionally, users should verify any security notices through official company websites.
Experts recommend bookmarking legitimate domains instead of scanning QR codes. Moreover, individuals should monitor announcements from wallet manufacturers regarding updates or security features.
Related: Wallet Poisoning and Phishing Scams Drain Millions in Crypto
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.
