Urgent Warning: Protect Your Trezor and Ledger Accounts from Crypto-Theft Attacks

There has been a recent surge in physical letter phishing attacks targeting users of Trezor and Ledger, two renowned cryptocurrency hardware wallet manufacturers. These threat actors are using deceptive tactics to trick individuals into revealing their recovery phrases, leading to potential crypto theft.

The fraudulent letters claim that recipients must urgently complete an “Authentication Check” or “Transaction Check” to prevent the loss of wallet functionality. This sense of urgency is designed to coerce victims into scanning QR codes that direct them to malicious websites.

Emergence of Snail Mail QR Code Crypto Scams

Users of hardware wallets have reported receiving physical letters that impersonate official communications from the security and compliance teams of Trezor and Ledger. These letters are printed on letterheads to enhance their credibility.

It remains unclear how these letters are targeted, but both Trezor and Ledger have experienced data breaches in recent years that exposed customer contact details.

One such letter impersonating Trezor, as received by cybersecurity expert Dmitry Smilyanets, warns users about the mandatory implementation of an “Authentication Check” by February 15, 2026. The letter instructs users to scan a QR code with their mobile device to enable the feature.

The fake Trezor letter states, “To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026.”

Similarly, a Ledger-themed letter shared online notifies users about a mandatory “Transaction Check” that must be completed by October 15, 2025, to prevent disruptions. Victims who scan the QR codes are directed to phishing sites that mimic official Trezor and Ledger setup pages, including:

• https://trezor.authentication-check[.]io/
• https://ledger.setuptransactioncheck[.]com/

As of now, the Ledger phishing domain is offline, while the Trezor phishing site is flagged by Cloudflare as a phishing site.

The Trezor phishing page urges users to complete the Authentication Check setup by February 15, 2026, with a specific note for users who purchased certain Trezor models after November 30, 2025. The phishing site emphasizes the importance of completing the process to avoid potential disruptions.

Clicking the “Get Started” button on the phishing sites leads users to pages warning about potential consequences of not completing the authentication process, creating a sense of urgency to proceed.

If victims continue, they are directed to a final phishing page where they are asked to enter their wallet recovery phrase. This critical information is then transmitted to the threat actors, enabling them to access and potentially steal funds from the victim’s wallet.

Although phishing emails targeting Trezor and Ledger users are common, physical mail phishing campaigns are relatively rare. In previous instances, threat actors have mailed modified Ledger devices to steal recovery phrases during the setup process.

Protect Your Recovery Phrases

Recovery phrases, also known as seed phrases, are vital for accessing cryptocurrency wallets as they represent the private keys controlling the funds. It is crucial never to share these phrases with anyone as it grants full control over the wallet and its contents.

Both Trezor and Ledger emphasize that they will never request users to disclose their recovery phrases through any means. When restoring a wallet, recovery phrases should only be entered directly on the hardware wallet device, not on any external device or website.