A phishing campaign targets hardware-wallet users via QR codes and mailed letters that mimic official setup pages from Trezor and Ledger, prompting for recovery phrases which are then sent to attackers.

Impostor letters claim an “Authentication Check” or “Transaction Check” with deadlines (Feb. 15, 2026 for Trezor and Oct. 15, 2025 for Ledger) to pressure users into action.

Experts advise against entering recovery phrases on non-official sites or devices and to verify any communications with official sources.

Users should ignore suspicious letters, independently verify communications, never disclose recovery phrases, and report suspected mail to the relevant platform or security researchers.

Ledger and Trezor have repeatedly warned that legitimate hardware-wallet companies never solicit recovery phrases through any channel—website, email, or mail.

Recommendations include typing known addresses directly into the browser, avoiding QR codes on unsolicited letters, and reporting suspicious mail to wallet providers and cybersecurity authorities.

Security guidance from hardware-wallet providers remains consistent: no legitimate update or check will ever ask for seed phrases via mail, email, or phone, and users should never share recovery phrases.

This tactic is part of a longer pattern of fraud, with past incidents including data breaches, counterfeit devices mailed after breaches, and phishing via fake apps and notices.

Physical-mail phishing campaigns targeting Ledger and other hardware-wallet users are rare but have occurred before, including attempts to modify devices and related scams.

Notable phishing domains include trezor.authentication-check.io and ledger.setuptransactioncheck.com, with at least one domain remaining active during reporting.

The report ties multiple prior incidents together, illustrating a pattern of data breaches enabling broader phishing and physical-letter scams.

Historical cases show offline phishing efforts, such as mailed modified devices in 2021, indicating continued risk from physical-world social engineering.