Quick Summary
- Scammers are using physical mail to steal Ledger users’ 24-word seed phrases.
- The scam impersonates official Ledger communication and exploits a past data breach.
- Victims are misled into scanning a QR code and entering sensitive wallet recovery information.
- Ledger has warned that it never asks for recovery phrases through any channel.
- The attack stems from a 2020 data breach that exposed over 270,000 users.
A New Twist: Phishing Goes Offline
In a disturbing turn of events, cryptocurrency scammers have taken their phishing efforts offline. Instead of emails or fake websites, fraudsters are now targeting Ledger hardware wallet users through physical mail. These deceptive letters are designed to look exactly like official correspondence from Ledger, complete with company logos, business addresses, and even fabricated reference numbers to add legitimacy.
The Scam: A Threat Disguised as a Security Update
The scam exploits a massive 2020 data breach in which personal information—including names and home addresses—of more than 270,000 Ledger customers was leaked. Scammers are using this data to send realistic letters that urge recipients to scan a QR code and perform what appears to be a mandatory security update. The letters claim that users must enter their 24-word recovery phrase to prevent restricted access or blocked funds.
Jacob Canfield, a tech commentator who reported on the scam, warned that the physical letters are alarmingly authentic-looking. He highlighted how the attackers cleverly mimic Ledger’s branding to gain users’ trust before prompting them to reveal sensitive information.
Why the 24-Word Recovery Phrase Is So Dangerous
The 24-word seed phrase is essentially the master key to any cryptocurrency wallet. Whoever holds this phrase can gain full access to all the digital assets in the wallet. That’s why phishing attempts—whether online or offline—target this crucial detail. Ledger has consistently emphasized that it never asks for recovery phrases via email, phone calls, or mail.
In a statement addressing the situation, Ledger reminded users:
“Ledger will not contact you through phone calls or direct messages, or request your 24-word recovery phrase. Any request for recovery phrases indicates a fraudulent attempt.”
Past Incidents Hint at Ongoing Threats
This isn’t the first time bad actors have tried to manipulate the fallout from the 2020 data breach. In 2021, several users reported receiving Ledger devices that were tampered with and sent through the mail—another form of attack that misled users into compromising their wallets.
What Users Should Do
Cryptocurrency holders must remain vigilant, especially those using hardware wallets like Ledger. Always double-check the legitimacy of any communication and never enter your recovery phrase unless you’re setting up a new device, and even then—only through the official Ledger platform.
As phishing scams evolve, users must adapt by practicing caution and relying only on verified sources for updates. When in doubt, consult Ledger’s official support before taking any action.