The Trezor letter, with a signature attributed to the CEO of its rival Ledger and a U.S. postmark, exposed the scammers' sloppiness beneath an otherwise polished façade.
According to copies shared online, the fake Trezor-branded letter claims a new “Authentication Check®” feature will soon become mandatory and instructs users to scan a QR code to activate it by a set deadline or risk limited access to wallet software.
Scammers are likely drawing on years of documented data breaches at both companies, attacks that exposed email addresses, home addresses, phone numbers, and proof of hardware wallet ownership.
Cybercrime consultant David Sehyeon Baek told Decrypt the move to physical mail is a deliberate psychological escalation, one that exploits instincts built over decades.
"Postal mail hits people differently, especially wallet users, because it feels like the threat has left the internet and entered your real life," he said. "An email can be dismissed as spam, but a letter with your name and home address basically signals, 'we can locate you,' and that triggers a much stronger safety reaction."
"It also borrows credibility from the postal system—most of us grew up associating mailed notices with banks, government, and utilities, so a clean letterhead and formal tone can feel more official than a random inbox message,” he added.
“Data leaked 10 years ago can still be useful today—how often do people change their mobile numbers or home addresses? Not so often,” Baek told Decrypt, saying exposed data is “sticky” and lets breach-linked profiles drive targeted scams for years across email, phone, and physical mail.
He added that crypto’s privacy protections are often overstated, noting that “it’s not truly anonymous, it’s pseudonymous,” and that once a wallet is tied to a real person, “the whole transaction history becomes very traceable.”
“Hardware wallet providers like Ledger and Trezor have limited ability to stop the phishing flows directly, because the phishing happens outside the device—inside the user's browser,” Alex Katz, CEO and founder of cybersecurity firm Kerberus, told Decrypt.
Hardware wallet data breachesCrypto users still have to “KYC regularly to use centralized exchanges,” Katz noted, and those databases can be breached, with some incidents disclosed only later, meaning “there’s always something leaking somewhere.”
He added that users should assume they’re continuously being targeted. "Attackers will keep combining channels like physical mail, SMS, and spoofed apps because it increases credibility and conversion. Not only in 2026—but going forward in general,” Katz said.
Decrypt has reached out to Trezor and Ledger for comment.
