- Physical letters replace emails to launch phishing campaigns on hardware wallets
- QR codes in envelopes direct victims to fake credential collection websites
- Trezor and Ledger owners receive urgent notices demanding authentication checks
Experts have warned that physical letters are being used in cryptocurrency theft campaigns that rely on QR codes and urgent warnings to fool hardware wallet owners.
The approach replaces email with printed mail, but the underlying technique remains traditional phishing, according to cybersecurity expert Dmitry Smilyanets, who detailed receiving one of these letters.
Instead of malicious attachments, victims receive envelopes that appear to come from security teams linked to hardware wallet brands.
QR codes lead to credential collection sites
Letters requesting an authentication check or transaction check will soon become mandatory for continued access to the wallet and require users to scan a QR code to avoid disruption, with deadlines extending into early 2026.
Once analyzed, the codes direct users to malicious websites that mimic official setup pages associated with Trezor and Ledger devices.
A Ledger-themed domain is already offline, while a Trezor-themed domain remains accessible but flagged by Cloudflare as phishing infrastructure.
The fraudulent site asks visitors to complete an authentication process by a specified deadline, warning that failure could restrict wallet access or interfere with signing transactions.
If individuals continue, they are asked to enter their wallet recovery phrase under the assertion that ownership verification is required.
The page accepts phrases of 12, 20, or 24 words and passes this information through a backend API endpoint controlled by the attackers.
Using this data, malicious actors can import the wallet and transfer funds without further interaction.
It remains unclear exactly how recipients were selected, although previous data breaches involving hardware wallet providers have exposed customer contact details, raising questions about whether leaked postal addresses are reused for physical phishing campaigns.
Hardware wallet recovery phrases function as a textual form of private keys controlling access to cryptocurrency funds.
Anyone who gets this phrase gets full control over the associated wallet.
Manufacturers state that recovery phrases should only be entered directly on the hardware device during restoration and never on a website or mobile browser.
Security vendors note that technical protections such as firewall software can prevent many unauthorized network connections.
Robust endpoint protection remains crucial to detect and block suspicious activity on individual devices.
Users should also keep malware removal tools up to date to ensure that malware does not compromise wallets when interacting with links or downloads.
The move to postal mail does not introduce new technical methods, but it shows that attackers continue to adapt delivery mechanisms when digital channels become saturated.
The novelty lies in the envelope, not in the operating technique – and this distinction could be enough to alleviate recipients’ skepticism.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
