- Physical letters are replacing emails to deliver hardware wallet phishing campaigns
- QR codes in envelopes direct victims to fake credential collection sites
- Trezor and Ledger owners receive urgent messages requiring authentication checks
Experts have warned that physical letters are being used in cryptocurrency theft campaigns, which rely on QR codes and urgent alerts to trick hardware wallet owners.
The approach replaces email with printed mail, yet the underlying technique remains traditional phishing, according to cybersecurity expert Dmitry Smilyanets, who detailed receiving such a letter.
Instead of malicious attachments, victims receive envelopes that appear to come from security teams associated with hardware wallet brands.
QR codes lead to credential collection locations
The letters claiming an authentication check or transaction check will soon become mandatory for continued wallet access, instructing users to scan a QR code to avoid disruption, with deadlines stretching into early 2026.
Once scanned, the codes direct users to malicious websites that mimic official setup pages associated with Trezor and Ledger devices.
A domain linked to the Ledger theme has already gone offline, while a Trezor theme domain remains available but flagged by Cloudflare as phishing infrastructure.
The fraudulent website instructs visitors to complete an authentication process by a specified deadline and warns that failure could limit the wallet’s access or disrupt transaction signing.
If individuals continue, they will be asked to enter their wallet recovery phrase under the assertion that verification of ownership is required.
The site accepts 12, 20, or 24 word phrases and forwards this information through a backend API endpoint controlled by the attackers.
With this data, threat actors can import the wallet and transfer funds without further interaction.
It remains unclear how recipients were selected, although previous data breaches involving hardware wallet vendors exposed customer contact information, raising questions about whether leaked mailing addresses are being reused for physical phishing campaigns.
Hardware wallet recovery phrases act as the textual form of private keys that control access to cryptocurrency funds.
Anyone who obtains that phrase gains complete control of the associated wallet.
Manufacturers state that recovery phrases should only be entered directly on the hardware device during recovery and never on a website or mobile browser.
Security vendors note that technical security measures such as firewall software can prevent many unauthorized network connections.
Strong endpoint protection remains critical to detect and block suspicious activity on individual devices.
Users should also maintain up-to-date malware removal tools to ensure that malicious software does not compromise wallets when interacting with links or downloads.
The shift to snail mail does not introduce new technical methods, but it does show that attackers continue to adapt delivery mechanisms as digital channels become saturated.
The novelty lies in the envelope, not in the exploitation technique – and that distinction may be enough to reduce skepticism among the recipients.
Via Bleeping Computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
