The internet is filled with scams that arrive via email, text message, or social media, and we’ve become desensitised to them, despite monthly news stories and reports on the subject. Billions have been stolen in the Bitcoin and adjacent crypto space, and if it’s not a world-record hack, it’s brushed under the carpet by survivorship bias.
The only ones that remember are the ones affected, and every Bitcoin holder assumes they’ll never be the one on the chopping block, until they’re faced with the reality of a 0 balance.
While the online barrage of scam and phishing attempts continues, they’re not the only ones we need to be aware of and safeguard against. This year, cybercriminals are starting to target Bitcoin users, and have taken a more alarming route — sending fraudulent letters directly to people’s homes.
If you own a Ledger or Trezor hardware wallet, learning all about this scam could be the difference between keeping your Bitcoin safe and losing everything.
In early 2026, Ledger and Trezor users began reporting a worrying new scam: fraudulent physical letters sent through the post that appear to come from trusted hardware wallet manufacturers. These letters are part of a new phishing campaign designed to trick users into giving away their recovery seed phrases — the master keys that grant access to their wallet’s funds.
How the Scam Works
The physical letter scam follows a carefully crafted playbook designed to instil fear and urgency in the recipient.
Here is how it typically unfolds:
The Letter Arrives
Victims receive a professionally printed letter in the mail that appears to come directly from Ledger or Trezor — complete with official-looking logos, branded envelopes, corporate addresses, and even reference numbers to give the impression of authenticity. The letter is indistinguishable, at first glance, from genuine company correspondence.
The Fake Urgency
The content of the letter warns the recipient of a supposed critical security vulnerability affecting their hardware wallet. In some variants, the letter claims that the user’s device has been “compromised,” that their wallet firmware is dangerously outdated, or that their seed phrase needs to be “verified” as part of a mandatory security protocol. The language is alarmist and designed to panic the reader into acting quickly without thinking critically.
The Call to Action
The letter instructs the victim to either visit a spoofed website (a convincing clone of the official Trezor or Ledger site) or you’re instructed to scan a QR code or visit a provided link — supposedly to keep your wallet secure. In particularly brazen versions of the scam, users are asked to enter their 12- or 24-word seed phrase into a device included with the letter — a fake hardware wallet pre-loaded with malware.
The Theft
Once a victim enters their seed phrase — either on a fake website or into a compromised device — the scammers gain full, instant access to every wallet associated with that phrase. Funds are immediately transferred out to attacker-controlled wallets. Because blockchain transactions are irreversible, there is no way to recover stolen funds.
A Notable Variant: The Fake Replacement Device
In one of the most elaborate versions of the scam back in 2020, victims received packages containing what appeared to be a brand-new Ledger Nano X device. The packaging was convincing, the device looked authentic, and the accompanying letter (purportedly from Ledger’s support team) explained that the user’s existing device needed to be replaced due to a security issue.
The catch:
The device was tampered with. It had been modified to record and transmit the victim’s seed phrase to the attackers the moment the user set it up.
Researchers who examined these packages found that the devices were genuine Ledger hardware that had been opened, compromised with malware-laden firmware, repackaged, and sent out — a level of sophistication that raised the bar for hardware-based social engineering attacks considerably.
When Did These Scams Surface?
The physical letter scam against hardware wallet users emerged most prominently following one of the most damaging data breaches in cryptocurrency hardware history: the Ledger data breach of July 2020.
Ledger, the French crypto hardware wallet company, disclosed that a vulnerability in its e-commerce and marketing database had exposed the personal details of approximately one million customers. This included email addresses, phone numbers, and critically — for around 272,000 customers — full names, postal addresses, and phone numbers.
The stolen data was initially used for email phishing and SMS smishing attacks. However, by late 2020 and into 2021, reports began flooding in of victims receiving sophisticated physical letters at their home addresses. The data from the breach had either been used directly by those who stole it or sold on dark web marketplaces to criminal groups who saw the opportunity to weaponise physical mail.
Trezor, made by SatoshiLabs, also saw its users targeted — in part because the customer data that was leaked and circulated included users who owned multiple hardware wallet brands, and scammers simply cast a wide net. In April 2022, Trezor itself suffered a data breach when its third-party newsletter provider, Mailchimp, was compromised, exposing thousands of Trezor customer email addresses and further fueling targeted attack campaigns.
Physical letter scam reports have continued to emerge in waves since 2021, with new variants and updated tactics appearing regularly as scammers refine their approach.
How Do Scammers Have Your Physical Address?
This is the question that disturbs victims the most:
How does a criminal know where I live?
There are several ways scammers have obtained the home addresses of Bitcoin hardware wallet users:
The Ledger Data Breach (2020)
As mentioned, the July 2020 breach of Ledger’s e-commerce database remains the single biggest source of victim addresses. The full dataset — containing names, addresses, phone numbers, and email addresses — was eventually dumped publicly on the RaidForums hacking forum in December 2020, making it freely accessible to virtually any bad actor with an internet connection. This dataset is believed to have been used as the primary source for physical letter campaigns targeting Ledger customers.
The Trezor Data Breach (2024)
Trezor experienced data exposures involving 66 000 user contact information. These leaks may have included physical mailing addresses, according to COINOTAG
Dark Web Data Markets
Stolen personal data from various breaches is routinely bought and sold on dark web marketplaces. Criminal groups specialising in crypto theft purchase “combo lists” that merge breach data from multiple sources, allowing them to identify individuals who are likely Bitcoin holders based on prior purchases of hardware wallets, registrations on crypto exchanges, or forum participation.
Third-Party Vendor Breaches
Both Ledger and Trezor have used third-party marketing, newsletter, and e-commerce platforms over the years. Breaches of these vendors — such as the Mailchimp breach that affected Trezor in 2022 — can expose customer data even when the hardware wallet company itself has strong internal security.
Social Engineering and OSINT
In some cases, scammers use open-source intelligence (OSINT) techniques — scraping public records, social media profiles, cryptocurrency forum posts, and other publicly available information — to identify and locate high-value targets. People who publicly disclose their crypto holdings or wallet activity are particularly vulnerable.
Cryptocurrency Transaction Tracing
Because many blockchains are transparent by design, sophisticated attackers can sometimes trace large wallet balances back to identifiable individuals by cross-referencing on-chain activity with exchange KYC data, forum posts, or other leaked information.
Red Flags to Watch For
Understanding what these letters and packages look like can help you identify a scam before you become a victim. Common warning signs include:
Requests for your seed phrase. This is the most important red flag of all. No legitimate company — not Ledger, not Trezor, not any reputable business — will ever ask for your 12- or 24-word recovery seed phrase. Your seed phrase is the master key to your funds, and it should never leave your possession under any circumstances.
Unexpected replacement devices. If you receive an unsolicited hardware wallet in the mail, do not use it. Ledger and Trezor do not send replacement devices without prior arrangement through official customer support channels.
Urgent language and threats. Scam letters are designed to make you panic. Phrases like “your funds are at immediate risk,” “mandatory security update required,” or “failure to act will result in loss of access” are classic pressure tactics to override your better judgment.
Unofficial URLs. Any website linked in a letter should be scrutinised carefully. Scammers use domains that closely resemble official ones, such as “ledger-secure.com” or “trezor-support.net.” Always type the official address directly into your browser rather than following links or QR codes from physical mail.
QR codes in letters. QR codes in unsolicited mail should be treated with extreme suspicion, as they can redirect to phishing sites that are difficult to spot on a small mobile screen.
No prior contact or support ticket. Legitimate companies only send account-related correspondence in response to a support interaction you initiated. Receiving an out-of-the-blue security notice through the postal service — with no corresponding email or notification in your official account — is a strong signal that something is wrong.
Safety Tips to Protect Yourself
Never, under any circumstances, share your seed phrase. Treat your recovery seed phrase as you would the PIN to your bank account — but more so. Anyone who has your seed phrase has complete, irrevocable control of every wallet associated with it. Store it offline, written on paper or stamped on metal, in a secure physical location. Do not photograph it, store it digitally, or type it into any website or device other than your own hardware wallet during initial setup.
Verify all communications through official channels. If you receive any physical letter, email, or call claiming to be from Ledger or Trezor, go directly to the official website (ledger.com or trezor.io) and contact customer support independently to confirm whether the communication is genuine. Do not use the contact information provided in the suspicious letter.
Purchase hardware wallets only from official sources. Buy directly from Ledger’s or Trezor’s official websites or from authorised resellers. Never buy a used or secondhand hardware wallet, as the device may have been tampered with. Inspect packaging for signs of tampering before use.
Set up your device from scratch. When setting up any hardware wallet, generate a new seed phrase on the device itself. Never use a pre-configured device or one that comes with a seed phrase “already set up for your convenience” — this is a guaranteed scam.
Use a dedicated email and separate identity for crypto purchases. Where possible, use an email address and a P.O. box or package-forwarding address specifically for cryptocurrency-related purchases. This limits the real-world damage if that data is ever breached.
Monitor breach databases. Register your email addresses on services like Have I Been Pwned (haveibeenpwned.com) to receive alerts if your data appears in known breaches. If your information was in the Ledger breach, assume your address may be in criminal hands and be permanently vigilant.
Enable all available security features on your accounts. Use strong, unique passwords and hardware-based two-factor authentication (2FA) for all exchange and crypto service accounts. Avoid SMS-based 2FA where possible due to SIM-swapping vulnerabilities.
Educate your household. Other members of your household may open your mail. Make sure they know to flag any correspondence related to cryptocurrency and not to call any numbers or visit any websites listed in such letters without checking with you first.
Report scam letters. If you receive a fraudulent letter, report it to your national postal service’s fraud division, your country’s cybercrime authority (such as the FBI’s IC3 in the US, Action Fraud in the UK, or the ACCC in Australia), and to Ledger or Trezor directly via their official support channels. Your report could help protect other victims.
Don’t Trust Any Brand With Your Bitcoin
Hardware wallets are one of the safest ways to store funds because they keep your keys offline. But no level of physical security can protect you if you willingly hand over your recovery phrase. Stay sceptical, verify every communication independently, and when in doubt, don’t engage — because once a scammer has your seed phrase, they have your coins.
The Trezor and Ledger physical letter scam is a sobering reminder that the threat landscape for cryptocurrency holders extends well beyond the digital world. When personal data from corporate breaches ends up in criminal hands, the consequences can arrive at your front door — literally.
The golden rule remains unchanged: your seed phrase is sacred, and no one legitimate will ever ask for it. If you understand that single principle and apply it without exception, you will be immune to the core mechanism of this and virtually every other crypto wallet phishing attack, whether it arrives by email, text message, social media, or postal mail.
Stay sceptical, stay informed, and safeguard your seed phrase as if your financial security depends on it — because it does.
Do your own research
If you want to learn more about snail mail scams, use this article as a starting point. Don’t trust what we say as the final word. Take the time to research other sources, and you can start by checking out the resources below.
