{"id":22097,"date":"2026-02-15T18:00:11","date_gmt":"2026-02-15T18:00:11","guid":{"rendered":"https:\/\/bitunikey.com\/news\/crypto-hackers-target-trezor-and-ledger-users-in-theft-campaign\/"},"modified":"2026-02-15T18:00:40","modified_gmt":"2026-02-15T18:00:40","slug":"crypto-hackers-target-trezor-and-ledger-users-in-theft-campaign","status":"publish","type":"post","link":"https:\/\/bitunikey.com\/news\/crypto-hackers-target-trezor-and-ledger-users-in-theft-campaign\/","title":{"rendered":"Crypto hackers target Trezor and Ledger users in theft campaign"},"content":{"rendered":"<div class=\"post-detail__content blocks\">\n<p class=\"is-style-lead\">Crypto hackers are sending physical letters impersonating Trezor and Ledger to steal cryptocurrency wallet recovery phrases.<\/p>\n<div id=\"cn-block-summary-block_1cfba26110017791a50a7f2ea02cd0d9\" class=\"cn-block-summary\">\n<div class=\"cn-block-summary__nav tabs\">\n        <span class=\"tabs__item is-selected\">Summary<\/span>\n    <\/div>\n<div class=\"cn-block-summary__content\">\n<ul class=\"wp-block-list\">\n<li>Hackers mail fake Trezor and Ledger letters with phishing QR codes.<\/li>\n<li>Sites request recovery phrases and grant attackers full wallet control.<\/li>\n<li>Hardware wallet firms never ask users to share seed phrases.<\/li>\n<\/ul><\/div>\n<\/div>\n<p><!-- .cn-block-summary --><\/p>\n<p>The phishing campaign claims recipients must complete mandatory \u201cAuthentication Check\u201d or \u201cTransaction Check\u201d procedures.<\/p>\n<p>The hackers are also creating urgency through deadlines of February 15, 2026 for Trezor. Letters printed on official-looking letterhead direct users to scan QR codes leading to malicious websites.<\/p>\n<p>The phishing sites request 24-, 20-, or 12-word recovery phrases under the pretense of verifying device ownership.<\/p>\n<p>Once entered, recovery phrases transmit to threat actors through backend API endpoints, granting attackers full control over victims\u2019 wallets and funds.<\/p>\n<p>Both hardware wallet companies suffered data breaches in recent years that exposed customer contact information.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h2 class=\"wp-block-heading\"><strong>Phishing sites create urgency through functionality warnings<\/strong><\/h2>\n<p>Cybersecurity expert Dmitry Smilyanets received a fake Trezor letter warning that failure to complete authentication would result in lost device functionality.<\/p>\n<p>\u201cTo avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile device and follow the instructions on our website,\u201d the letter stated.<\/p>\n<p>The Trezor phishing site displays warnings about limited access, transaction signing errors, and disruption with future updates.<\/p>\n<figure class=\"wp-block-image size-full\"><figcaption class=\"wp-element-caption\"><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/snail-mail-letters-target-trezor-and-ledger-users-in-crypto-theft-attacks\/\" target=\"_blank\" rel=\"nofollow\">Physical crypto phishing letters<\/a><\/figcaption><\/figure>\n<p>A similar Ledger-themed letter circulated on X, claiming Transaction Check would become mandatory.<\/p>\n<p>The phishing pages allow users to enter recovery phrases in multiple formats, falsely claiming the information verifies device ownership and enables authentication features.<\/p>\n<p>Once victims enter recovery phrases, data transmits to the phishing site. Attackers import the wallet onto their own devices and drain funds.<\/p>\n<p>The letters create false urgency by claiming devices purchased after November 30, 2025 come pre-configured, pressuring earlier buyers to act.<\/p>\n<p>    <!-- .cn-block-related-link --><\/p>\n<h2 class=\"wp-block-heading\"><strong>Crypto hardware wallet companies never request recovery phrases<\/strong><\/h2>\n<p>Physical mail phishing campaigns targeting hardware wallet users remain relatively rare. Crypto hackers mailed modified Ledger devices in 2021 designed to steal recovery phrases during setup. A similar postal campaign targeting Ledger users was reported in April.<\/p>\n<p>Anyone possessing a wallet\u2019s recovery phrase gains full control over the wallet and all funds. Trezor and Ledger never ask users to enter, scan, upload, or share recovery phrases through any channel.<\/p>\n<p>Recovery phrases should only be entered directly on hardware wallet devices when restoring wallets, never on computers, mobile devices, or websites.<\/p>\n<p>The targeting criteria for the physical letters remains unclear. However, both companies\u2019 past data breaches exposed customer mailing addresses and contact information to potential attackers.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Crypto hackers are sending physical letters impersonating Trezor and Ledger to steal cryptocurrency wallet recovery phrases. Summary Hackers mail fake Trezor and Ledger letters with phishing QR codes. Sites request&hellip;<\/p>\n","protected":false},"author":1,"featured_media":13174,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-22097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cryptocurrency"],"_links":{"self":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/22097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/comments?post=22097"}],"version-history":[{"count":1,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/22097\/revisions"}],"predecessor-version":[{"id":22098,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/posts\/22097\/revisions\/22098"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media\/13174"}],"wp:attachment":[{"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/media?parent=22097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/categories?post=22097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitunikey.com\/news\/wp-json\/wp\/v2\/tags?post=22097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}