Snail Mail Phishing Campaign Targets Trezor and Ledger Crypto Wallet Users

Related

KDDI Confirms Zero-Day Exploit Behind Breach Affecting 12 Million People

What happened KDDI has updated its earlier breach disclosure, confirming...

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

Aflac Japan Data Breach Impacts 4.38 Million Customers and Agents

What happened Aflac Life Insurance Japan disclosed a data breach...

Nissan Discloses Employee Data Breach Linked to Oracle Zero-Day Attacks

What happened Nissan disclosed a data breach affecting current and...

Share

What happened

Threat actors have launched a phishing campaign using physical mail to impersonate communications from hardware wallet providers Trezor and Ledger, attempting to steal cryptocurrency recovery phrases. The letters, printed on fake company letterhead, instruct recipients to complete an urgent “Authentication Check” or “Transaction Check” by scanning a QR code and visiting a fraudulent website. 

The phishing pages mimic legitimate wallet setup portals and prompt users to enter their recovery phrase under the pretense of verifying device ownership. Once entered, the recovery phrase is transmitted to attacker-controlled infrastructure, allowing threat actors to import the wallet and steal cryptocurrency funds. 

The targeting source is unclear, though both Trezor and Ledger have experienced past data breaches that exposed customer contact information. 

Who is affected

Customers of Trezor and Ledger hardware wallets who receive and interact with the phishing letters are affected, as submitting recovery phrases allows attackers to gain full control of cryptocurrency wallets.

Why CISOs should care

The campaign demonstrates how attackers are expanding phishing techniques beyond digital channels by using physical mail and trusted brand impersonation to obtain sensitive authentication credentials.

3 practical actions

  • Warn users about recovery phrase security. Ensure users understand recovery phrases must never be entered into websites or shared externally.
  • Monitor for phishing domain access. Detect connections to known fraudulent domains impersonating Trezor or Ledger services.
  • Review exposure from prior data breaches. Assess whether customer contact data may have been exposed and used for targeted phishing campaigns.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.