Snail Mail Phishing Targets Trezor and Ledger Wallet Users for Crypto Theft

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Crooks send fake letters posing as Trezor and Ledger support to steal crypto wallet recovery phrases. Victims scan QR codes under urgency for “mandatory checks.” Sites then grab 12-24 word seeds to drain funds.

Letters use fake letterhead from security teams. Trezor version warns of “Authentication Check” deadline February 15, 2026. Ledger pushes “Transaction Check” by October 2025. QR leads to trezor.authentication-check[.]io or ledger.setuptransactioncheck[.]com.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Sites mimic official setup. They claim new devices skip steps. “Get Started” leads to seed entry pages. Phrases POST to /black/api/send.php backend. Trezor site lives (Cloudflare blocked); Ledger offline.

The Trezor phishing page displays a warning that users must complete an authentication check by February 15, 2026, stating:

“Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe 7, Trezor Safe 5, Trezor Safe 3, or Trezor Safe 1 after November 30, 2025. In that case, it is already pre-configured, and no action is needed,” reads the phishing site.

Past breaches leaked Trezor (66,000 users) and Ledger (270,000 addresses) data. Physical scams rare but effective, beating email filters.

Trezor warns: “Trezor will never ask you to enter, scan, upload, or share your recovery phrase.”

Ledger states: “Ledger will never ask for your 24-word recovery phrase. Never enter it on a website.”

Phishing Sites Table

TargetDomainStatusPayload
Trezortrezor.authentication-check[.]ioLive, blockedSeed grab API
Ledgerledger.setuptransactioncheck[.]comOfflineFake check page ​

Scam Tactics

  • Urgency deadlines create panic.
  • Fake models like Trezor Safe 7/5/3/1.
  • Supports 12/20/24-word seeds.
  • Mimics real features like passphrases.

Never share seeds. Enter only on hardware during restore. Report to firms.

Protection List

  • Ignore unsolicited mail from wallet makers.
  • Verify via official apps/sites only.
  • Move funds if seed exposed.
  • Use passphrases for extra security.

FAQ

Why snail mail for phishing?

Bypasses email filters; data from past breaches targets users.

What happens if seed shared?

Attacker imports wallet, steals all funds instantly.

Trezor/Ledger ever ask for seeds?

No, never via mail, email, or sites.

Sites still active?

Trezor yes (blocked); Ledger no.

Past similar scams?

Fake Ledger devices mailed in 2021.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages