Owners of hardware wallets from Ledger and Trezor are being targeted in a new wave of offline phishing attacks, according to security researchers.
Unlike traditional email or SMS scams, this campaign uses physical mail to reach victims, marking a shift from digital-only attacks to real-world correspondence. The letters impersonate official support teams and attempt to trick users into revealing their recovery seed phrases, which grant full control over crypto funds.
Security firms including SlowMist and Chainalysis have identified the structure of the scam and warned users to remain vigilant.
How the Physical Phishing Scam Works
Researchers have outlined several key stages:
1. Data Sourcing
Fraudsters are believed to use data from historical third-party breaches, including the 2020 Ledger marketing database leak, to obtain physical addresses of wallet owners.
2. The “Official” Letter
Victims receive professionally printed letters featuring authentic-looking Ledger or Trezor logos.
The letters often claim:
- The device is “vulnerable”
- The account has been “restricted”
- Immediate action is required due to “new regulations”
3. The Urgent Call to Action
The letter includes a URL or QR code directing users to a fake “Support Portal.”
4. The Seed Phrase Trap
Once on the fraudulent website, users are prompted to enter their 24-word recovery seed phrase to “authenticate” or “upgrade” their device.
Entering the seed phrase instantly compromises the wallet.
Why This Tactic Is Dangerous
Physical mail carries a level of perceived legitimacy.
By bypassing spam filters, phishing detection tools, and email security systems, scammers are reaching victims directly in their homes. The psychological impact of an official-looking printed document increases the likelihood of trust and compliance.
This represents a strategic evolution in phishing methods.
The Golden Rule of Hardware Wallets
Never, under any circumstances, enter your recovery seed phrase into a computer, phone, or website.
Your seed phrase should only ever be entered directly into your hardware wallet device during a legitimate recovery process.
If any website asks for it, it is a scam.
Critical Safety Checklist
| Feature | Official Support | Scammer Tactics |
| Communication | Official ticket systems or verified email | Physical letters, unsolicited calls, SMS |
| Seed Phrase Request | Never asks for seed phrase | Eventually requests seed phrase |
| Device Replacement | Official RMA process | Sends unsolicited “free” replacement devices |
| Tone | Professional and informational | Fear-based urgency (“Funds will be lost”) |
What to Do If You Receive a Letter
- Do not visit the URL – do not scan QR codes or type the link manually.
- Verify via official apps – open Ledger Live or Trezor Suite. Legitimate security alerts will appear there.
- Report the letter – send a photo to official support channels at support.ledger.com or trezor.io/support.
Hardware wallets remain secure when used correctly. The vulnerability lies not in the device, but in social engineering attempts designed to trick users into surrendering their private keys.
