Executive Summary

A sophisticated phishing campaign is actively targeting users of Trezor and Ledger cryptocurrency hardware wallets through physical mail, a method rarely seen in the sector. Attackers are sending convincing letters that impersonate official communications from Trezor and Ledger, urging recipients to complete urgent "Authentication Check" or "Transaction Check" procedures by scanning QR codes. These QR codes direct users to phishing websites that closely mimic legitimate wallet setup pages and ultimately request the entry of wallet recovery phrases. If a user submits their recovery phrase, attackers gain full control of the wallet and can steal all funds. The campaign leverages previously leaked customer data from earlier breaches to personalize the attacks, increasing their credibility and effectiveness. Both Trezor and Ledger have issued strong advisories stating they will never request recovery phrases via any channel, especially not through physical mail. The attack is ongoing as of February 2026 and is confirmed by multiple independent, primary sources.

Technical Information

The current phishing campaign represents a significant escalation in attack methodology within the cryptocurrency sector, specifically targeting users of Trezor and Ledger hardware wallets. Unlike traditional digital phishing, this campaign utilizes physical mail to deliver its payload, exploiting the trust users may place in official-looking correspondence.

The attack chain begins with the delivery of a physical letter, printed on what appears to be official Trezor or Ledger letterhead. The letter claims that a mandatory "Authentication Check" (Trezor) or "Transaction Check" (Ledger) is required to maintain wallet functionality. Recipients are pressured to act before a specified deadline—February 15, 2026, for Trezor and October 15, 2025, for Ledger—to avoid losing access to their wallets. This urgency is a classic social engineering tactic designed to override rational decision-making.

The letter instructs users to scan a QR code, which leads to phishing domains such as trezor.authentication-check[.]io and ledger.setuptransactioncheck[.]com. These websites are crafted to closely resemble the legitimate setup or authentication pages of the respective vendors. Upon visiting the site, users are presented with warnings about potential loss of access or functionality if they do not complete the process. The phishing sites then prompt users to enter their wallet recovery phrase, supporting 12-, 20-, or 24-word formats.

Once the recovery phrase is entered, it is transmitted to the attacker via a backend API endpoint, such as https://trezor.authentication-check[.]io/black/api/send.php. With this information, attackers can import the victim's wallet onto their own device, gaining full access to all funds and the ability to transfer assets without restriction.

No malware is deployed in this campaign; the attack is entirely web-based and relies on social engineering and credential harvesting. The infrastructure includes custom phishing websites and backend endpoints for data exfiltration. Technical indicators identified include the phishing domains and the specific API endpoint used for data collection.

The campaign leverages previously leaked customer data from earlier breaches involving Trezor and Ledger. This data is used to personalize the letters, increasing their legitimacy and the likelihood of success. The use of physical mail is a notable escalation, as most phishing in the cryptocurrency sector is conducted digitally. Previous incidents in 2021 and April 2025 involved similar postal phishing campaigns, including the mailing of modified hardware devices.

Mapping the attack to the MITRE ATT&CK framework, the following tactics, techniques, and procedures (TTPs) are observed:

Initial Access is achieved through [T1566] Phishing, specifically spearphishing via physical delivery. The lure is the urgent request to complete a security check via a QR code. Credential Access is obtained through [T1110] Brute Force, in this case, credential harvesting via fake web forms. Collection is performed through [T1114] Email Collection, adapted here as the collection of sensitive wallet recovery phrases via web forms. Command and Control is established through [T1071] Application Layer Protocol, with the exfiltration of recovery phrases via web protocols to attacker-controlled endpoints.

Attribution for this campaign remains unconfirmed. However, the use of breached customer data, phishing infrastructure, and the escalation to physical mail are consistent with the tactics of financially motivated cybercriminals targeting the cryptocurrency sector. The campaign is ongoing, and both Trezor and Ledger have issued repeated advisories warning users never to share their recovery phrases under any circumstances.

The impact of this attack is severe. Compromise of a recovery phrase results in total loss of wallet funds, as the recovery phrase is the sole means of controlling access to the wallet. There is no recourse for victims once the phrase is compromised and funds are transferred.

Primary sources for this analysis include BleepingComputer's detailed incident report (https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/) and the official Ledger phishing campaign status page (https://www.ledger.com/phishing-campaigns-status), both of which provide direct evidence and technical artifacts confirming the attack chain and its impact.

Affected Versions & Timeline

The attack targets all users of Trezor and Ledger hardware wallets, regardless of device model or firmware version, as the phishing campaign exploits user behavior rather than technical vulnerabilities in the devices themselves. The campaign leverages customer data from previous breaches, making any user whose information was exposed in those incidents a potential target.

The timeline of relevant events is as follows: In 2021, a physical mail phishing campaign involved the distribution of modified Ledger devices. In April 2025, a similar postal phishing campaign was reported targeting Ledger users. The current wave of snail mail phishing letters was reported by BleepingComputer on February 14, 2026, with deadlines in the fake letters set for October 15, 2025 (Ledger) and February 15, 2026 (Trezor). The campaign is ongoing as of February 2026.

Threat Activity

Threat actors are actively sending physical letters to Trezor and Ledger users, impersonating official communications from the vendors' security and compliance teams. The letters are personalized, likely using data from previous breaches, and employ urgent language to pressure recipients into scanning QR codes. These QR codes direct users to phishing websites that closely mimic legitimate wallet setup pages.

The phishing sites display warnings about potential loss of access or functionality, further increasing the sense of urgency. Users are prompted to enter their wallet recovery phrase, which is then transmitted to the attacker via a backend API endpoint. With the recovery phrase, attackers can import the victim's wallet and steal all funds.

The campaign does not involve malware or technical exploitation of the hardware wallets themselves. Instead, it relies entirely on social engineering and the manipulation of user trust. The use of physical mail is a rare but effective escalation, as it bypasses many of the digital safeguards users may have in place.

Both Trezor and Ledger have issued strong advisories stating they will never request recovery phrases via any channel, especially not through physical mail. Users are urged to remain vigilant and to report any suspicious communications to the vendors and relevant law enforcement agencies.

Mitigation & Workarounds

The following mitigation measures are prioritized by severity:

Critical: Never share your wallet recovery phrase (also known as a seed phrase) with anyone, under any circumstances. Trezor and Ledger will never request your recovery phrase via email, phone, physical mail, or any website. The recovery phrase should only be entered directly on your hardware wallet device when restoring a wallet.

Critical: Do not scan QR codes or visit websites provided in unsolicited physical mail, emails, or messages claiming to be from Trezor or Ledger. Always verify the authenticity of any communication through official vendor channels.

High: If you receive a suspicious letter, email, or phone call claiming to be from Trezor or Ledger, do not respond or provide any information. Report the incident to the vendor's official phishing reporting address and to law enforcement authorities.

High: Regularly review official advisories and phishing campaign updates from Trezor and Ledger. Refer to the official Ledger phishing campaign status page (https://www.ledger.com/phishing-campaigns-status) for the latest information.

Medium: Educate all users and stakeholders about the risks of phishing, especially the new trend of physical mail-based attacks. Ensure that all personnel handling cryptocurrency assets are aware of the correct procedures for wallet recovery and the dangers of sharing recovery phrases.

Medium: Monitor for signs of targeted phishing, including unexpected physical mail, emails, or phone calls requesting sensitive information related to cryptocurrency wallets.

Low: Consider implementing additional verification steps for any communication related to wallet security, such as contacting the vendor directly through official support channels before taking any action.

If you believe you have entered your recovery phrase on a suspicious website or have otherwise been compromised, immediately transfer your funds to a new wallet with a new recovery phrase and contact the vendor for further guidance.

References

BleepingComputer, "Snail mail letters target Trezor and Ledger users in crypto-theft attacks," February 14, 2026. https://www.bleepingcomputer.com/news/security/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks/

Ledger, "Ongoing phishing campaigns," accessed June 2024. https://www.ledger.com/phishing-campaigns-status

About Rescana

Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to identify, assess, and monitor risks associated with their external vendors and partners. Our platform supports the detection of emerging threats, including phishing campaigns and supply chain attacks, by providing continuous visibility into third-party security postures and incident exposure. For questions regarding this advisory or to discuss how Rescana can support your organization's risk management efforts, please contact us at ops@rescana.com.