Scammers are using a new trick to steal money from people who use Ledger and Trezor hardware wallets. Instead of sending emails, they are now sending fake letters through the mail.

According to a BleepingComputer report, these letters are very well executed and look official. They appear to come from Ledger or Trezor and claim users must complete a mandatory “Authentication Check” or “Transaction Check.” The letters warn that if users do not act quickly, they could lose access to their wallets.

But the letters are fake. They are part of a phishing scam designed to steal users’ recovery phrases, the secret words that give full access to their digital assets.

Phishing emails are common in the digital assets world. However, this scam is different because it uses physical mail.

The letters are printed on good-quality paper that looks official. They include company logos and professional language to make them appear real. Many of the letters set a deadline, often February 15, 2026, to pressure users into acting quickly.

One fake letter reviewed by cybersecurity expert Dmitry Smilyanets told Trezor users:
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website to enable Authentication Check by February 15th, 2026.”

Smilyanets says the letter even had a hologram and appeared to have been sent from an address in Pennsylvania.

The letter also says that even if users have already enabled the feature, they must still complete the process to “fully activate” it.

A similar fake letter targeting Ledger users was shared on X. It warned about a required “Transaction Check” with the same deadline. Each letter contains a QR code. When users scan the QR code, they are taken to a fake website.

These websites are designed to look like official Ledger or Trezor pages. They copy the layout, branding, and language of the real companies. The fake site tells users they must enter their recovery phrase to verify device ownership and complete the authentication process.

Security experts mention that the website is definitely fake if:

It’s a best practice to visit their websites by manually typing their address in your browser’s address bar.

One phishing page says:

“Complete Authentication Check setup by February 15, 2026 unless you purchased a Trezor Safe 7, Trezor Safe 5, Trezor Safe 3, or Trezor Safe 1 after November 30, 2025.”

This message creates confusion and urgency. It suggests some users do not need to act, while others must hurry.

If users click “Get Started,” they see more warnings. The site claims users may face blocked access, transaction errors, or update problems if they do not complete the process.

Finally, the site asks for the user’s 12-, 20-, or 24-word recovery phrase. Once the phrase is entered, it is secretly sent to the scammers. The criminals can then load the wallet onto their own device and steal all the funds.

A recovery phrase, also called a seed phrase, is the master key to a digital asset wallet.

Anyone who has the recovery phrase can fully control the wallet and move the funds. There is no way to reverse transactions or recover stolen money.

The companies clearly state that they will never ask users to enter, scan, upload, or share their recovery phrases. These phrases should only be entered directly on the hardware wallet device, never on a website, computer, or phone.

It is not exactly clear how the scammers got users’ home addresses.

However, both Ledger and Trezor have experienced data breaches in the past. These breaches exposed customer contact information. Security experts believe that stolen customer data may now be used to send these fake letters.

At least one phishing website has already been flagged as dangerous by browser security tools.

A warning displayed in Chrome states:

“Attackers on the site that you tried visiting might trick you into installing software or revealing information like your passwords, phone numbers, or credit card numbers. Chrome strongly recommends going back to safety.”