Cybercriminals Target Cryptocurrency Wallet Users
In a cunning new scheme, cybercriminals are targeting users of popular cryptocurrency hardware wallets Trezor and Ledger by sending fraudulent letters designed to steal recovery phrases. These communications, which falsely present themselves as official notifications from the wallet manufacturers, demand that users undertake an “Authentication Check” or “Transaction Check” by a looming deadline of February 15, 2026 for Trezor users.
Deceptive Tactics and Phishing Sites
The letters feature convincing logos and formatting, compelling recipients to scan QR codes leading to nefarious websites. Here, users are urged to provide their 12-, 20-, or 24-word recovery phrases under the guise of verifying their ownership of their devices. Once victims comply, the hackers gain unrestricted access to their wallets and the funds within, exploiting backend API routes to facilitate the theft.
Dmitry Smilyanets, a cybersecurity professional, revealed he received one of these deceptive letters warning that failure to comply with the so-called authentication process could lead to lost access. The correspondence contained messages pressuring individuals to scan the QR code to maintain functionality of their Trezor Suite.
Urgency and Pressure Tactics
The phishing site for Trezor raises alarm about limited access and potential errors, while a similar letter claiming to be from Ledger circulated on social media platform X, pressuring recipients for immediate action. Notably, these phishing pages offer various formats for entering recovery phrases, misleading users into thinking they are verifying their device ownership. When victims provide their recovery phrases, the criminals promptly capture this sensitive data, ultimately allowing them to transfer the wallet onto their devices and siphon off funds.
The letters create an atmosphere of urgency, implying that devices acquired after November 30, 2025, will be pre-configured, thus pressuring previous customers to respond quickly. While physical mail scams targeting wallet users are relatively uncommon, such tactics have cropped up before, including a 2021 incident where counterfeit Ledger devices were sent out to compromise recovery phrases during the setup process.
Protecting Your Recovery Phrase
It is critical for users to remember that possession of a recovery phrase grants full control over a wallet, and both Trezor and Ledger never require users to input or share these phrases through emails, websites, or any media other than their dedicated hardware. Recovery phrases should only ever be entered directly on the hardware wallets themselves during the restoration process. The extent to which hackers are selecting targets for these letters remains uncertain, but past security breaches at both companies have exposed customer mailing information, making them potential victims.
