Menace actors are sending bodily letters pretending to be from Trezor and Ledger, makers of cryptocurrency {hardware} wallets, to trick customers into submitting restoration phrases in crypto theft assaults.
These phishing letters declare recipients should full a compulsory “Authentication Verify” or “Transaction Verify” to keep away from dropping entry to pockets performance, creating a way of urgency to strain victims into scanning QR codes that result in malicious web sites.
Snail mail QR code crypto scams
{Hardware} pockets customers report receiving snail mail letters printed on letterhead that impersonate official communications from Trezor and Ledger safety and compliance groups.
It’s unclear what the focusing on standards are for these letters, however each Trezor and Ledger [2] have suffered knowledge breaches previously couple of years which have uncovered buyer contact info.
A letter impersonating Trezor acquired by cybersecurity professional Dmitry Smilyanets claims that an “Authentication Verify will quickly turn into a compulsory a part of Trezor,” warning customers to finish the method by February 15, 2026, or threat dropping performance on their units.
“To keep away from any disruption to your Trezor Suite entry, please scan the QR code together with your cellular machine and comply with the directions on our web site to allow Authentication Verify by February fifteenth, 2026,” reads the pretend Trezor letter.
“Notice: Whereas you’ll have already acquired the notification in your Trezor machine and enabled Authentication Verify, finishing this course of remains to be required to completely activate the characteristic and guarantee your machine is synchronized with the total performance of Authentication Verify.”
Supply: Smilyanets
The same Ledger-themed letter was shared on X, claiming a “Transaction Verify” would quickly turn into obligatory and warning customers to scan a QR code to allow the characteristic by October 15, 2025, to keep away from disruptions.
Scanning the QR codes leads victims to phishing websites impersonating official Trezor and Ledger setup pages, together with:
- https://trezor.authentication-check[.]io/
- https://ledger.setuptransactioncheck[.]com/
On the time of writing, the Ledger phishing area is offline, whereas the Trezor phishing website stays reside however is now flagged by Cloudflare as a phishing website.
The Trezor phishing web page shows a warning that customers should full an authentication verify by February 15, 2026, stating:
“Full Authentication Verify setup by February 15, 2026 except you bought a Trezor Protected 7, Trezor Protected 5, Trezor Protected 3, or Trezor Protected 1 after November 30, 2025. In that case, it’s already pre-configured, and no motion is required,” reads the phishing website.
Supply: BleepingComputer
Clicking the “Get Began” button results in one other web page that warns customers that failure to finish the authentication course of might end in restricted or blocked entry to Trezor, transaction signing errors, and disruption with future Trezor updates.
These warnings are designed to create additional urgency so victims proceed to the subsequent a part of the setup course of.
If victims proceed, they’re taken to a last phishing web page that asks them to enter their pockets restoration phrase.
The web page permits customers to enter 24-, 20-, or 12-word restoration phrases and claims that this info is required to confirm machine possession and allow the authentication characteristic.
Supply: BleepingComputer
As soon as entered, the restoration phrase is transmitted to the menace actor by means of a backend API endpoint at https://trezor.authentication-check[.]io/black/api/ship.php.
This enables attackers to import the sufferer’s pockets onto their very own units and steal funds from the pockets.
Whereas phishing emails focusing on Trezor and Ledger customers are frequent, bodily mail phishing campaigns stay comparatively uncommon.
In 2021, menace actors mailed modified Ledger units designed to steal restoration phrases throughout setup.
The same postal phishing marketing campaign was additionally reported in April focusing on Ledger customers.
By no means share restoration phrases
{Hardware} pockets restoration phrases, often known as seed phrases, are textual representations of the non-public keys that management entry to cryptocurrency wallets.
Subsequently, anybody who has entry to a pockets’s restoration phrase features full management over the pockets and its funds.
{Hardware} pockets producers similar to Trezor and Ledger won’t ever ask customers to enter, scan, add, or share their restoration phrase.
Restoration phrases ought to be entered straight on the {hardware} pockets machine when restoring a pockets, and by no means on a pc, cellular machine, or web site.
Trendy IT infrastructure strikes quicker than guide workflows can deal with.
On this new Tines information, find out how your group can cut back hidden guide delays, enhance reliability by means of automated response, and construct and scale clever workflows on high of instruments you already use.
