Scammers are sending fraudulent physical letters to Ledger hardware wallet users, posing as official communications from the company to steal crypto assets.
In a new phishing scam targeting cryptocurrency holders, bad actors are mailing fake letters to Ledger wallet users, asking them to enter their private seed phrases under the guise of a “critical security update.”
Fraudulent Letters Mimic Official Ledger Communication
On April 29, tech analyst Jacob Canfield shared an alarming image on X (formerly Twitter) of a physical letter he received. The envelope, which closely mimicked official Ledger branding, urged him to scan a QR code and submit his 24-word recovery phrase to supposedly verify his wallet.
The scam letter included Ledger’s logo, a fake reference number, and even the company’s real business address to appear credible. It warned that failing to act would lead to restricted access to crypto funds.
Ledger Confirms Scam and Issues Warning
In response to Canfield’s post, Ledger issued a warning confirming the letter is fraudulent. The company reminded users of a critical safety rule in crypto:
“Ledger will never ask for your 24-word recovery phrase. If someone does, it’s a scam.”
They also warned users not to trust anyone claiming to be a Ledger employee or offering help with fund recovery.
Possible Link to 2020 Ledger Data Breach
Canfield suggested the letters may be targeting victims of the 2020 Ledger data breach, when a hacker leaked the personal information of over 270,000 customers—including names, phone numbers, and home addresses.
Following that breach, some users received tampered Ledger devices in the mail, designed to install malware upon use, according to reports by Bleeping Computer in 2021.
Reminder: Never Share Your Seed Phrase
A seed phrase, also known as a recovery phrase, is a string of 12 to 24 words that grants full access to a cryptocurrency wallet. Anyone with this phrase can take control of the wallet and drain its contents.
This latest scam is a strong reminder to all crypto users: never share your recovery phrase—not via email, not over the phone, and certainly not through physical mail.
