top of page

Scammers Impersonate Ledger with Physical Phishing Letters Targeting Wallet Seeds

  • May 17
  • 3 min read

Key Findings


  • Scammers are sending physical letters impersonating Ledger, a major hardware wallet manufacturer, to steal cryptocurrency recovery seed phrases

  • The fraudulent letters include official-looking branding, reference numbers, and fake security warnings about a "Quantum Resistance" update with a deadline

  • Letters are localized by region, with documented examples in Italian targeting customers in Italy, suggesting attackers have access to customer data organized by location

  • Each letter contains a QR code directing victims to a phishing website where they are prompted to enter their 24-word recovery seed phrase

  • Attackers can drain entire cryptocurrency wallets once they obtain a valid seed phrase

  • The fake letters are signed by Ledger CTO Charles Guillemet and reference a non-existent quantum computing defense system


Background


Ledger is one of the most widely used hardware wallets in the cryptocurrency space, storing digital assets offline to protect them from online threats. The company has built its reputation on security, but its large customer base also makes it an attractive target for scammers. Recent physical phishing campaigns represent a shift in tactics, moving beyond digital channels to exploit the perceived legitimacy of printed mail.


Campaign Details and Localization


The phishing letters are designed to look authentic, complete with Ledger's Paris corporate address and official formatting. What stands out is the regional customization. The circulating example appears in Italian and targets customers in Italy, suggesting the attackers have segmented their mailing list by country and language. This level of localization indicates the scammers likely have access to detailed customer data beyond just names and addresses.


The letters create urgency by claiming a mandatory security upgrade is required before a specific deadline. Failure to comply, the letter warns, will result in wallet access disruption and disabled features. This pressure tactic is designed to bypass the victim's natural skepticism and push them toward quick action.


The Phishing Mechanism


The QR code embedded in the letter is the bait. When scanned, it directs users to a fraudulent website that mimics Ledger's legitimate interface. The site then requests the user's 24-word recovery seed phrase under the guise of completing the security update. Once entered, the attacker has full control of the wallet and can transfer all cryptocurrency holdings to accounts they control.


The seed phrase is the master key to any hardware wallet. It is only meant to be used during the initial setup or in recovery scenarios on a trusted device. Ledger has repeatedly emphasized that the company will never ask for this phrase under any circumstance, whether through email, website, QR code, phone call, or printed letter.


Suspected Data Source


Researchers and community members have connected this campaign to a breach involving Global-e, Ledger's e-commerce payment processor, which occurred in January 2026. While Ledger has not officially confirmed this link, the localized nature of the letters and their accurate targeting of customers by region strongly suggests the attackers obtained customer shipping data and contact information from a compromised system.


This is not the first time Ledger customers have been targeted following a data leak. Previous attacks have included fake firmware updates, cloned Ledger Live applications, phishing emails, and counterfeit hardware wallets specifically designed to harvest seed phrases.


Recommended Actions


Ledger has advised customers to ignore any physical mail, email, or social media message requesting a recovery phrase. The safest course of action is to delete the letter without scanning the QR code or visiting any linked website.


For users who may have already entered their seed phrase on the phishing site, immediate action is critical. They should transfer all cryptocurrency holdings to a newly created wallet with a fresh recovery phrase as quickly as possible, before attackers gain access to drain the account.


The broader lesson remains consistent across the industry: legitimate hardware wallet companies will never ask for your recovery phrase, and sharing it with anyone represents an immediate loss of wallet security.


Sources


  • https://hackread.com/scammers-physical-phishing-letters-ledger-wallet-seed/

  • https://www.facebook.com/cryptopolitan/posts/imagine-checking-your-mailbox-and-finding-a-scam-letter-addressed-to-your-home-b/1653889980077445/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page