Recent reports indicate that users of Ledger and Trezor hardware wallets are being targeted in an alarming new phishing campaign. Criminals have shifted strategies from online tactics to sending physical letters to users” homes, impersonating official communications from these wallet providers.
These fraudulent letters aim to deceive recipients into revealing their wallet recovery phrases, which are critical for accessing their cryptocurrency. The letters falsely claim that users must complete mandatory checks to avoid losing wallet functionalities. This tactic creates a sense of urgency, compelling victims to scan QR codes that direct them to malicious websites.
Users have reported receiving these letters printed on official-looking letterhead that mimics the branding of both Ledger and Trezor. The exact method of targeting remains unclear, yet both companies have faced data breaches in the past, compromising user information. The most recent incident involved a data theft at Ledger last month.
One letter, analyzed by cybersecurity expert Dmitry Smilyanets, warned Trezor users that authentication checks would become compulsory, urging them to complete the process by February 15 to avoid losing device functions. It insisted that users scan the provided QR code to maintain access to the Trezor Suite.
In a similar vein, a letter directed at Ledger users claimed they needed to undergo a mandatory transaction check by the same deadline. Reports confirm that these QR codes lead users to phishing sites designed to mimic the official domains of Trezor and Ledger. Currently, while the phishing site for Ledger is offline, the Trezor site remains active but has been flagged as malicious.
The Trezor phishing site previously displayed warnings stating that users needed to complete the authorization check by the deadline to ensure their safety. However, it also indicated that users of specific Trezor models, including the Trezor Safe 7 and Trezor Safe 3, would not need to undergo these checks as their devices were already configured.
As the landing page tried to instill urgency, it prompted victims to proceed to the next step, which required them to enter their recovery phrases. The scammers claimed this was necessary to authenticate ownership of the device. However, entering this sensitive information allows scammers to seize full control of the wallets and the assets contained within.
Both Trezor and Ledger have consistently warned their users against sharing recovery phrases, emphasizing that they would never ask for such information under any circumstances. Recovery phrases should only be entered directly on the hardware devices themselves.
