What happened
Threat actors have launched a phishing campaign using physical mail to impersonate communications from hardware wallet providers Trezor and Ledger, attempting to steal cryptocurrency recovery phrases. The letters, printed on fake company letterhead, instruct recipients to complete an urgent “Authentication Check” or “Transaction Check” by scanning a QR code and visiting a fraudulent website.
The phishing pages mimic legitimate wallet setup portals and prompt users to enter their recovery phrase under the pretense of verifying device ownership. Once entered, the recovery phrase is transmitted to attacker-controlled infrastructure, allowing threat actors to import the wallet and steal cryptocurrency funds.
The targeting source is unclear, though both Trezor and Ledger have experienced past data breaches that exposed customer contact information.
Who is affected
Customers of Trezor and Ledger hardware wallets who receive and interact with the phishing letters are affected, as submitting recovery phrases allows attackers to gain full control of cryptocurrency wallets.
Why CISOs should care
The campaign demonstrates how attackers are expanding phishing techniques beyond digital channels by using physical mail and trusted brand impersonation to obtain sensitive authentication credentials.
3 practical actions
- Warn users about recovery phrase security. Ensure users understand recovery phrases must never be entered into websites or shared externally.
- Monitor for phishing domain access. Detect connections to known fraudulent domains impersonating Trezor or Ledger services.
- Review exposure from prior data breaches. Assess whether customer contact data may have been exposed and used for targeted phishing campaigns.