A new breed of phishing attack is bypassing every spam filter, email security tool, and browser warning in existence, because it arrives in your physical mailbox. Scammers are sending official-looking letters that impersonate Trezor and Ledger, complete with branded letterhead, reference numbers, and QR codes that route victims to seed phrase harvesting pages. As of February 16, 2026, cybersecurity researcher Dmitry Smilyanets and multiple outlets have confirmed that the letters are actively circulating, and the attack vector is fueled by at least three separate data breaches that leaked customer names and home addresses.
Physical Mail Becomes the Ultimate Social Engineering Weapon
The letters are designed to exploit a trust gap. Most crypto users have trained themselves to be suspicious of emails, DMs, and pop-ups. But a physical letter with professional formatting, a recognizable brand logo, and a return address that looks legitimate triggers a different psychological response. It feels real in a way that a phishing email never can.
One sample letter received by Smilyanets, writing for Recorded Future News, impersonates Trezor and states: "To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website." The letter warns that an "Authentication Check" will soon become mandatory and sets a deadline of February 15, 2026, creating artificial urgency. A similar letter targeting Ledger users references a "Transaction Check" with an earlier October 2025 deadline.
The irony is deliberate and cruel: the letters include standard security advice telling recipients never to share their seed phrase online, while simultaneously attempting to trick them into doing exactly that.
How the QR Code Pipeline Steals Your Funds
The attack chain is straightforward but effective. Scanning the QR code on the letter opens a phishing page that mimics Trezor Suite or Ledger Live with near-perfect fidelity. The page presents a form requesting the user's recovery phrase, accepting 12-word, 20-word, or 24-word formats. It claims this information is required to "verify device ownership" and "enable the authentication feature."
Once the victim enters their seed phrase, the page transmits it to an attacker-controlled backend via API. From there, the attacker imports the wallet on their own device and drains it. The entire process, from scanning to losing funds, can take under two minutes.
What makes this particularly dangerous is that hardware wallet users are, by definition, security-conscious. They chose self-custody specifically to avoid counterparty risk. A letter that acknowledges that security mindset and then weaponizes it against the holder is a level of social engineering that goes beyond typical spray-and-pray phishing.
Three Data Breaches Built the Target List
The attackers did not guess who owns hardware wallets. They know, because the data has been leaked multiple times:
Ledger 2020 breach: In June 2020, hackers exploited a vulnerability in Ledger's e-commerce platform. Initially reported as affecting 9,500 customers, the full dump surfaced in December 2020 on RaidForums, revealing approximately 272,000 records with names, email addresses, phone numbers, and physical mailing addresses. The data is still circulating on dark web marketplaces and Telegram channels.
Trezor 2024 breach: In January 2024, unauthorized access to a third-party support portal exposed names and email addresses of up to 66,000 users who had contacted Trezor support since December 2021. Of those, 41 customers received direct phishing emails from the attacker requesting recovery seed information.
Ledger January 2026 breach: Just weeks ago, Ledger disclosed that its payment partner Global-e suffered a cyber intrusion that exposed customer names and contact information from order records. Blockchain researcher ZachXBT broke the news on January 5, 2026, after multiple Ledger customers received notifications from Global-e about suspicious cloud infrastructure activity. The full scope of affected customers has not been disclosed.
Combined, these breaches give attackers a rich dataset: names, home addresses, email addresses, and in some cases phone numbers and purchase histories, for hundreds of thousands of hardware wallet owners.
The Hidden Cost That Goes Beyond Stolen Crypto
The immediate financial damage from seed phrase theft is obvious: wallets get drained. But the secondary effects are harder to quantify. Hardware wallet users who fall victim may lose trust in self-custody entirely, pushing them back toward custodial exchanges where counterparty risk (the very thing they were trying to avoid) becomes the new threat.
There is also a physical safety dimension. The same address data that enables a phishing letter also enables a $5 wrench attack, the security community's term for physical coercion. If an attacker knows your name, address, and that you own enough crypto to justify a hardware wallet, the threat model extends beyond the digital realm.
For users who hold crypto cards alongside hardware wallets, the operational security implications are significant. Cards from providers like Ledger that use the CL Card for everyday spending require a different mental model than cold storage. The card itself is not at risk from this phishing attack, but the wallet backing it could be if the same seed phrase controls both cold storage and card-linked funds.
How to Verify Any Communication Claiming to Be From Your Wallet Provider
Neither Trezor nor Ledger will ever ask for your recovery phrase. Not by email, not by letter, not by phone, not by QR code. This is the single most important rule, and it has no exceptions.
Beyond that baseline, here is a practical verification checklist:
Check the URL manually. Never scan a QR code from an unsolicited letter. If you receive a communication claiming to require action, open your browser and navigate to trezor.io or ledger.com directly. If there is a legitimate mandatory update, it will be prominently displayed on the official site and app.
Cross-reference on social channels. Trezor and Ledger both maintain active X (Twitter) accounts and support forums. Any real mandatory action would be announced across multiple channels, not delivered exclusively by postal mail.
Report the letter. Forward details to Trezor's security team (security@trezor.io) or Ledger's support. Reporting helps the companies track the campaign's geographic spread and alert other users.
Check if your data was leaked. HaveIBeenPwned.com includes the Ledger 2020 breach in its database. If your email appears, assume your associated physical address is also compromised and treat any unsolicited mail from wallet providers with extreme suspicion.
The Broader Pattern: Why Offline Attacks Are Escalating
This is not an isolated incident. The convergence of multiple data breaches with increasingly sophisticated social engineering represents a structural shift in how crypto users are targeted. After the 2020 Ledger breach, victims reported receiving physical threat letters demanding Bitcoin ransoms of $700 to $1,000. Some reported SIM swap attempts. Others received fake Ledger hardware devices pre-loaded with malware.
The QR code letter campaign is the latest evolution: lower risk for the attacker (no physical confrontation, no malware that antivirus can catch), higher scalability (print and mail thousands of letters), and a trust vector that most security training does not address.
For the broader crypto card ecosystem, this trend reinforces why compartmentalization matters. Keeping spending funds on a dedicated card wallet, separate from long-term cold storage, limits the blast radius if any single key is compromised. Cards that operate with no KYC or minimal personal data exposure reduce the attack surface for exactly this kind of data-driven targeting.
FAQ
Are my funds at risk if I received a letter but did not scan the QR code? No. Simply receiving the letter does not compromise your wallet. The attack only works if you scan the QR code and enter your recovery phrase on the phishing site. However, receiving the letter confirms that your name and address are in the leaked dataset, so remain vigilant for future attempts.
Should I move my funds to a new wallet? If you did not enter your seed phrase on any suspicious site, your current wallet is not compromised. If you did enter your phrase, transfer all assets to a freshly generated wallet immediately and treat the old seed as permanently burned.
Can Trezor or Ledger stop these letters? Not directly. Once physical address data is leaked, it cannot be recalled. Both companies can warn users and improve breach notification, but they cannot prevent third parties from sending mail to addresses they no longer control.
Does this affect crypto card users specifically? The phishing targets the master seed phrase, not card-specific credentials. However, if a card's spending wallet shares a seed with cold storage (uncommon but possible with some setups), the card-linked funds would also be at risk.
Overview
Scammers are mailing physical letters impersonating Trezor and Ledger that contain QR codes leading to seed phrase phishing pages. The campaign exploits data from at least three breaches (Ledger 2020, Trezor 2024, Ledger/Global-e January 2026) that exposed hundreds of thousands of customer names and addresses. Neither company will ever request your recovery phrase by any method. The only defense is absolute refusal to enter seed words on any site reached through unsolicited communication, regardless of how legitimate it appears.
Recommended Reading
- Pre-Authorization Holds: Why Crypto Cards Fail at Gas Stations, Hotels, and Car Rentals
- CZ Says Privacy Is the Missing Link for Crypto Payments Adoption
- The Mixin Network Hacker Resurfaces With $117M in ETH After Two Years of Silence
