UrsaClimb Logo

Snail mail letters target Trezor and Ledger users in crypto-theft attacks

Bleeping Computer
by Lawrence Abrams
February 14, 2026
AI-Generated Deep Dive Summary
Threat actors are exploiting cryptocurrency hardware wallet users through a novel phishing campaign delivered via snail mail. These malicious letters, impersonating companies like Trezor and Ledger, trick recipients into scanning QR codes that lead to fake websites designed to steal recovery phrases—critical keys for accessing crypto assets. The attackers create urgency by claiming mandatory "Authentication Checks" or "Transaction Checks," warning users of potential loss of wallet functionality if they fail to comply. The phishing letters are crafted to mimic official communications, including company letterhead and security alerts. They instruct victims to scan QR codes leading to fraudulent sites such as https://trezor.authentication-check[.]io/ and https://ledger.setuptransactioncheck[.]com/. These sites falsely claim the need for verification to activate new features, pressuring users to enter their recovery phrases. Once submitted, these phrases are transmitted to attackers via backend APIs, enabling them to steal funds from compromised wallets. The use of physical mail in phishing attacks is rare but effective, as it creates a sense of legitimacy and urgency. Cybersecurity expert Dmitry Smilyanets reported receiving a fake Trezor letter demanding completion of an "Authentication Check" by February 15, 2026. Similar Ledger-themed letters have also been circulating, with some leading to offline domains or flagged sites like the Trezor phishing page, which now displays a warning from Cloudflare. This attack highlights critical vulnerabilities in crypto security, as recovery phrases are often the sole method of accessing wallets. Users must remain vigilant, avoiding unsolicited requests for sensitive information and verifying official communications directly through established channels. Such attacks underscore the evolving threats in cryptocurrency security, emphasizing the importance of cautious handling of wallet credentials to protect against potential financial losses. For readers focused on security, understanding these phishing tactics is crucial to safeguarding their digital assets. Educating oneself about common attack methods and adopting robust security practices can mitigate risks. This incident serves as a reminder of the constant need for vigilance in the ever-changing landscape of cybersecurity.
Verticals
securitytech
Originally published on Bleeping Computer on 2/14/2026