Cybersecurity expert Dmitry Smilyanets reported on February 13th that he received a fake email posing as an official Trezor notification, demanding that the recipient complete an "Authentication Check" by February 15th, or their device would be restricted. The email was meticulously crafted, featuring a hologram and QR code, and at first glance appeared almost identical to official documents. However, a glaring error gave it away—misattributing Trezor CEO Matěj Žák to "Ledger CEO," revealing a cross-brand fraudulent scheme.
Scanning a QR code leads to being scammed: the seed phrase disappears as soon as it's entered.
The attack mechanism of this scam is not complicated, but it is extremely effective. The QR code in the email will lead the user to a carefully imitation Ledger or Trezor setup page, which will ask the user to enter a 12, 20 or 24 word wallet seed phrase phrase, claiming that it is a necessary step to "verify device ownership".
Once a user enters seed phrase, the information is instantly transmitted to attackers via a backend API, allowing them to transfer the money into the victim's wallet and steal all assets.
Please remember: Legitimate hardware wallet companies will never ask users to share seed phrase through any means—whether it's a website, email, or physical mail.
Scams are on the rise during bear markets, with panic becoming the biggest vulnerability.
Cyvers CEO Deddy Lavid points out that crypto scams won't decrease in a bear market; they will only evolve and adapt.
During market downturns, social engineering and impersonation scams tend to increase. Users are more anxious, more prone to impulsive reactions, and more susceptible to fear-based tactics—such as fake compliance notifications or wallet alerts.
This is precisely what makes these physical mail scams so insidious: they exploit users' instinctive trust in "official notifications," create a sense of urgency by setting deadlines, and induce victims to relinquish control of their assets in a panic.
Data leaks are the root of all evil.
This wave of physical mail scams was able to precisely target cold wallet users because of multiple past data breaches involving Ledger and Trezor:
- Trezor disclosed a data breach in January 2024, affecting nearly 66,000 customers.
- Ledger and its partners have suffered multiple major data breaches, resulting in the exposure of customer physical addresses.
- In 2021, scammers sent counterfeit Ledger Nano hardware wallets to victims of the 2020 Ledger data breach.
- In April 2025, physical phishing emails containing QR codes began targeting Ledger users.
- In May 2025, a fake Ledger Live app was used to steal seed phrase.
Ledger issued a physical email scam warning to users through its official support website last October.
Self-preservation principles: Three "never" rules
- Never scan QR codes in emails from unknown sources.
- Never enter your mnemonic phrase on any website—no matter how "official" it may seem.
- We will not respond to any notifications requesting you to complete "verification" within a specified period.
If you have any questions, please contact customer service directly through the official website (trezor.io / ledger.com) for confirmation.
