Printed phishing letters that mimicked official communications from hardware-wallet makers were mailed to Trezor and Ledger users, urging recipients to scan QR codes or visit fake websites and enter recovery seed phrases. The campaign deliberately used authoritative branding, counterfeit signatures, and hard deadlines, including February 15, 2026, to trigger rushed compliance and irreversible asset loss.
The letters claimed fictitious “mandatory” security checks and directed targets to attacker-controlled URLs that replicated support pages, where victims were prompted to input their seed phrases. Once a recovery phrase is entered into a remote site, the attacker can recreate the wallet and drain funds with no practical remediation after the transfers occur.
How the Mailed Scam Works and Why It’s So Effective
The operation relied on contextual details designed to sound plausible, including references to device purchase timing and claims that certain units were “pre-configured,” while sometimes misidentifying corporate officers to imitate executive authority. The objective is to manufacture urgency and legitimacy at the same time, pushing users into a fear-driven workflow that bypasses normal skepticism.
Cybersecurity researcher Dmitry Smilyanets reported receiving one such letter on February 13, 2026, which supports that the campaign was active in the days immediately preceding the February 15 deadline described in the mailers. That tight timing window is a classic pressure tactic intended to reduce verification behavior and increase conversion into the scam funnel.
Targeting precision strongly suggests reuse of previously leaked customer contact data, which makes physical mail appear more credible because it reaches the right households with device-relevant messaging. The campaign’s profile aligns with earlier breaches, including Ledger’s 2020 leak exposing more than 270,000 customer contacts and a January 2024 Trezor breach affecting roughly 66,000 addresses, datasets that can materially improve social-engineering success rates.
The technical failure mode is straightforward and complete: the seed phrase is the deterministic master key, and revealing it allows an attacker to reconstruct private keys and take full control of the wallet. The critical point is that this is not “account access,” it is total asset control, and once funds move to attacker-controlled addresses, recovery options are effectively eliminated.
Immediate Controls for Users, Custodians, and Vendors
Users should treat unsolicited mail that includes QR codes, links, or urgent deadlines as hostile by default and verify communications through trusted channels rather than through the letter’s instructions. A safe operating posture is to manually navigate to the manufacturer’s official domain and confirm announcements, because legitimate vendors do not request recovery phrases by mail, email, or a website.
The seed phrase must never be disclosed and should only be entered directly on the hardware device during a verified recovery process, with offline storage maintained as the baseline control. This single discipline is the difference between a nuisance phishing attempt and an irreversible loss event.
For security teams, custodians, and infrastructure operators, the campaign should be treated as an escalation in social-engineering sophistication rather than a one-off anomaly, because it targets human trust and leaked identity data rather than cryptography. Operationally, the priority is to harden provisioning and recovery workflows with procedural controls that prevent any employee or client from “validating” a seed on an external site under pressure.
For vendors, recurring mailed phishing increases the need to centralize trusted notification channels and publish clear indicators of legitimate communications that users can validate out of band. The strategic mitigation is to reduce ambiguity, improve customer data hygiene, and make verification frictionless so urgency-based scams lose their conversion advantage.
