Threat actors are sending physical letters that impersonate Trezor and Ledger, urging recipients to complete bogus “Authentication Check” or “Transaction Check” steps by scanning QR codes. Those phishing sites prompt users to enter wallet recovery phrases, which are transmitted to attackers and enable theft of the victims’ funds. #Trezor #Ledger
Keypoints
- Attackers mail letters on Trezor and Ledger letterhead claiming mandatory security checks.
- Recipients are pressured to scan QR codes that lead to phishing domains impersonating official setup pages.
- Phishing pages create urgency with warnings of lost functionality to trick users into proceeding.
- Sites request 12-, 20-, or 24-word recovery phrases and send them to attacker-controlled endpoints, enabling wallet theft.
- Hardware wallet vendors never ask for recovery phrases; seeds must only be entered directly on the device.