- Physical letters are replacing emails for phishing campaigns on hardware wallets
- QR Codes on Envelopes Direct Victims to Fake Credential Harvesting Websites
- Trezor and Ledger owners receive urgent notices demanding authentication checks
Experts have warned that physical cards are being used in cryptocurrency theft campaigns that rely on QR codes and urgent warnings to trick hardware wallet owners.
The approach replaces email with paper mail, but the underlying technique is still traditional phishing, according to cybersecurity expert Dmitry Smilyanets, who detailed receiving one such letter.
Instead of malicious attachments, victims receive envelopes that appear to come from security teams linked to hardware wallet brands.
QR codes lead to credential collection sites
Letters claiming an authentication check or transaction verification will soon be mandatory for continued wallet access and instruct users to scan a QR code to avoid interruptions, with deadlines extending to early 2026.
Once scanned, the codes direct users to malicious websites that mimic the official setup pages associated with Trezor and Ledger devices.
A domain linked to the Ledger theme has already been taken offline, while a Trezor theme domain remains accessible but has been flagged as a phishing infrastructure by Cloudflare.
The fraudulent site instructs visitors to complete an authentication process before a set deadline, warning that a failure could restrict access to the wallet or interfere with signing transactions.
If people continue, they are asked to enter their wallet recovery phrase under the claim that ownership verification is required.
The page accepts phrases of 12, 20, or 24 words and forwards that information through a backend API endpoint controlled by the attackers.
With that data, threat actors can import the wallet and transfer funds without further interaction.
It remains unclear how recipients were selected, although previous data breaches involving hardware wallet providers exposed customers’ contact details, raising questions about whether leaked email addresses are being repurposed for physical phishing campaigns.
Hardware wallet recovery phrases function as the textual form of private keys that control access to cryptocurrency funds.
Anyone who gets that phrase gets full control over the associated wallet.
Manufacturers state that recovery phrases should only be entered directly on the hardware device during the restore and never on a website or mobile browser.
Security vendors note that technical safeguards, such as firewall software, can prevent many unauthorized network connections.
Strong endpoint protection remains crucial to detecting and blocking suspicious activity on individual devices.
Users should also keep malware removal tools up to date to ensure that malicious software does not compromise wallets by interacting with links or downloads.
The shift to postal mail does not introduce new technical methods, but it shows that attackers continue to adapt delivery mechanisms when digital channels become saturated.
The novelty lies in the envelope, not in the exploitation technique, and that distinction may be enough to reduce skepticism among recipients.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.




