Ledger and Trezor wallet users are reportedly being targeted in a new crypto theft campaign. According to authorities, crypto scammers have kicked their activities up a notch, ditching their previous model of targeting hardware wallet users.
According to reports, criminals are now sending users of these wallets physical letters delivered to their homes, pretending to be from Trezor and Ledger. This is done to trick them into submitting recovery phrases of their wallets, which are then used to carry out the theft. The letters claim recipients must undergo compulsory checks or transaction checks to avoid losing access to functionalities within the wallet. The scammers use this to create a sense of urgency to pressure their victims into scanning QR codes that lead to malicious websites.
Ledger and Trezor users targeted in snail mail QR code crypto scam
According to reports, users of the hardware wallets have confirmed receiving these letters printed on letterhead that impersonate official communications from the security and compliance teams of Ledger and Trezor. It is unclear how the users are being targeted, but both companies have suffered breaches in the past. These breaches have seen considerable user information being compromised. The most recent breach occurred at Ledger, where user data was stolen last month.
In the letter received by Trezor users and checked by cybersecurity expert Dmitry Smilyanets, the criminals claimed that authentication checks will become a mandatory part of Trezor and urged users to complete the process by February 15 or risk losing certain functions on their devices. The letter claimed that users must scan the QR code contained in the letter and follow the instructions so they don’t lose access to the Trezor Suite.
“Note: While you may have already received the notification on your Trezor device and enabled Authentication Check, completing this process is still required to fully activate the feature and ensure your device is synchronized with the full functionality of Authentication Check,” the Trezor letter read. Meanwhile, a similar letter addressed to Ledger users was shared on blogging platform X, claiming that users would be subjected to a mandatory transaction check with the same deadline.
Hardware wallet firms issue warnings to users
According to reports, scanning the QR code leads users to phishing sites created by scammers to impersonate Trezor and Ledger official domains. Currently, the Ledger phishing site is offline, while that of Trezor remains active. However, the Trezor website has been flagged as a phishing site. “Attackers on the site that you tried visiting might trick you into installing software or revealing information like your passwords, phone numbers, or credit card numbers. Chrome strongly recommends going back to safety,” the website said.
Before the Trezor website was flagged, it displayed a warning saying that users needed to complete the authorization check by February 15 to be safe. However, it highlighted that users who purchased the Trezor Safe 7, Trezor Safe 3, Trezor Safe 1, and Trezor Safe 5 do not need to complete the checks as the wallets are already preconfigured. The landing page features a ‘Get Started’ button that leads to another warning about a failure to complete the authentication process.
These warnings were designed to create further urgency so that victims continue to the next part of the process without having second thoughts. If victims proceed, the next page requires them to enter their recovery phrases with claims that this information is to enable them to authenticate and verify device ownership. However, once the recovery phrase is entered, it is transmitted to the scammers through a backend API endpoint.
Hardware wallet recovery phrases are the representation of the private keys that control access to crypto wallets. This means that anyone with access to the phrases will be able to gain full control over the wallet and the funds in it. Hardware wallet manufacturers like Trezor and Ledger have always warned users not to share those phrases, as they will never ask for them under any condition. Recovery phrases should only be entered on the hardware wallet devices.