- Physical letters are replacing emails to deliver hardware wallet phishing campaigns
- QR codes in envelopes direct victims to fake credential harvesting websites
- Trezor and Ledger owners receive urgent notices demanding authentication checks
Experts have warned physical letters are being used in cryptocurrency theft campaigns which rely on QR codes and urgent warnings to trick hardware wallet owners.
The approach replaces email with printed mail, yet the underlying technique remains traditional phishing, according to cybersecurity expert Dmitry Smilyanets , who detailed receiving one such letter.
Instead of malicious attachments, victims receive envelopes that appear to come from security teams linked to hardware wallet brands.
QR codes lead to credential harvesting sites
The letters claiming an Authentication Check or Transaction Check will soon become mandatory for continued wallet access, and instructs users to scan a QR code to avoid disruption, with deadlines stretching into early 2026.
Once scanned, the codes direct users to malicious websites that imitate official setup pages associated with Trezor and Ledger devices.
One domain tied to the Ledger theme has already gone offline, while a Trezor — themed domain remains accessible but flagged by Cloudflare as phishing infrastructure.
The fraudulent site instructs visitors to complete an authentication process before a stated deadline, warning that failure could restrict wallet access or interfere with transaction signing.
If individuals proceed, they are asked to enter their wallet recovery phrase under the claim that ownership verification is required.
The page accepts 12, 20, or 24 — word phrases and forwards that information through a backend API endpoint controlled by the attackers.
With that data, threat actors can import the wallet and transfer funds without further interaction.
It remains unclear how recipients were selected, though previous data breaches involving hardware wallet vendors exposed customer contact details, raising questions about whether leaked mailing addresses are being reused for physical phishing campaigns.
Hardware wallet recovery phrases function as the textual form of private keys controlling access to cryptocurrency funds.
Anyone who obtains that phrase gains complete control over the associated wallet.
Manufacturers state that recovery phrases should only be entered directly on the hardware device during restoration and never on a website or mobile browser.
Security vendors note that technical safeguards such as firewall software can prevent many unauthorized network connections.
Strong endpoint protection remains crucial for detecting and blocking suspicious activity on individual devices.
Users should also maintain updated malware removal tools to ensure that malicious software does not compromise wallets when interacting with any links or downloads.
The shift to snail mail does not introduce new technical methods, but it shows that attackers continue adapting delivery mechanisms when digital channels become saturated.
The novelty lies in the envelope, not the exploitation technique — and that distinction may be enough to lower skepticism among recipients.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.