Threat actors are sending physical letters pretending to be from Trezor and Ledger, makers of cryptocurrency hardware wallets, to trick users into submitting recovery phrases in crypto theft attacks.

These phishing letters claim recipients must complete a mandatory “Authentication Check” or “Transaction Check” to avoid losing access to wallet functionality, creating a sense of urgency to pressure victims into scanning QR codes that lead to malicious websites.

Snail mail QR code crypto scams

Hardware wallet users report receiving snail mail letters printed on letterhead that impersonate official communications from Trezor and Ledger security and compliance teams.

It is unclear what the targeting criteria are for these letters, but both Trezor and Ledger [2] have suffered data breaches in the past couple of years that have exposed customer contact information.

A letter impersonating Trezor received by cybersecurity expert Dmitry Smilyanets claims that an “Authentication Check will soon become a mandatory part of Trezor,” warning users to complete the process by February 15, 2026, or risk losing functionality on their devices.

“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026,” reads the fake Trezor letter.

“Note: While you may have already received the notification on your Trezor device and enabled Authentication Check, completing this process is still required to fully activate the feature and ensure your device is synchronized with the full functionality of Authentication Check.”

A similar Ledger-themed letter was shared on X, claiming a “Transaction Check” would soon become mandatory and warning users to scan a QR code to enable the feature by October 15, 2025, to avoid disruptions.

Scanning the QR codes leads victims to phishing sites impersonating official Trezor and Ledger setup pages, including:

• https://trezor.authentication-check[.]io/
• https://ledger.setuptransactioncheck[.]com/

At the time of writing, the Ledger phishing domain is offline, while the Trezor phishing site remains live but is now flagged by Cloudflare as a phishing site.

The Trezor phishing page displays a warning that users must complete an authentication check by February 15, 2026, stating:

“Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe 7, Trezor Safe 5, Trezor Safe 3, or Trezor Safe 1 after November 30, 2025. In that case, it is already pre-configured, and no action is needed,” reads the phishing site.

Clicking the “Get Started” button leads to another page that warns users that failure to complete the authentication process may result in limited or blocked access to Trezor, transaction signing errors, and disruption with future Trezor updates.

These warnings are designed to create further urgency so victims continue to the next part of the setup process.

If victims proceed, they are taken to a final phishing page that asks them to enter their wallet recovery phrase.

The page allows users to enter 24-, 20-, or 12-word recovery phrases and claims that this information is required to verify device ownership and enable the authentication feature.

Once entered, the recovery phrase is transmitted to the threat actor through a backend API endpoint at https://trezor.authentication-check[.]io/black/api/send.php.

This allows attackers to import the victim’s wallet onto their own devices and steal funds from the wallet.

While phishing emails targeting Trezor and Ledger users are common, physical mail phishing campaigns remain relatively rare.

In 2021, threat actors mailed modified Ledger devices designed to steal recovery phrases during setup.

A similar postal phishing campaign was also reported in April targeting Ledger users.

Never share recovery phrases

Hardware wallet recovery phrases, also known as seed phrases, are textual representations of the private keys that control access to cryptocurrency wallets.

Therefore, anyone who has access to a wallet’s recovery phrase gains full control over the wallet and its funds.

Hardware wallet manufacturers such as Trezor and Ledger will never ask users to enter, scan, upload, or share their recovery phrase.

Recovery phrases should be entered directly on the hardware wallet device when restoring a wallet, and never on a computer, mobile device, or website.