Ledger and Trezor hardware wallet users have started receiving physical letters aimed at stealing their seed recovery phrases in a new wave of attacks targeting those affected by data leaks over the past six years. Cybersecurity expert Dmitry Smilyanets reported receiving a fake letter claiming to be from Trezor on February 13. The letter mandates performing an “Authentication Check” by February 15 and includes a hologram and QR code.
Fake letter sent to Trezor customers. Source: Dmitry SmilyanetsDetails of the Ledger Trezor Fake Letter Attack
The QR code directs users to a fake website resembling Ledger and Trezor setup pages, prompting them to enter their recovery phrases. Once entered, scammers retrieve the information via backend API, take over the wallets, and steal funds. The letter appears to be signed by Trezor CEO Matěj Žák. This social engineering tactic deceives users by creating a sense of urgency.
Technical Mechanism of the Attack and Seed Phrase Risk
The seed recovery phrase is a 12-24 word mnemonic code that derives the wallet’s master private key. The phrase entered on the fake site is captured via JavaScript and sent to the attacker’s server via POST request. The API endpoint validates the phrase and clones the wallet. Although phrases are resistant to brute-force according to the BIP-39 standard, when directly captured via phishing, all funds are at risk. Experts do not recommend MITM attacks with HTTPS imitation.
Ledger Trezor Data Leaks Table
| Company | Date | Leaked Data | Affected Number |
|---|---|---|---|
| Ledger | 2020 | Address information | Thousands |
| Trezor | 2024 | 66 thousand customer communications | 66,000 |
These leaks provided address databases for targeted phishing. Ledger users received similar “Transaction Check” letters in October last year.
Similar Scam Cases and History
- 2021: Fake Nano wallets
- April 2025: QR code letters
- May 2025: Fake Ledger Live apps
Ledger warned users on its website against mail scams in October. Companies never request recovery phrases via email, website, or mail.
Tips for Protecting Crypto Assets Like SEED
SEED owners using Ledger/Trezor should be extra careful. Check SEED detailed analysis, follow futures at SEED futures transactions. Tips: Verify letters, bookmark official sites, add passphrase to hardware wallet, use multi-sig. As of February 17, 2026, the attack continues; do not scan suspicious QR codes.
Source: https://en.coinotag.com/ledger-trezor-fake-letter-seed-phrase-theft
