The letters are an attempt to trick recipients into revealing their seed recovery phrases via malicious QR codes. At the same time, Figure Technology disclosed a separate data breach caused by a social-engineering attack on an employee, with the hacking group ShinyHunters claiming to have leaked 2.5GB of customer data. Although overall crypto phishing losses declined in 2025, security researchers warn that scams continue to grow and often track market activity.
Scammers Mail Fake Letters
Crypto hardware wallet users are once again being targeted through physical mail scams that are designed to steal their seed recovery phrases. Recent reports indicate that users of both Ledger and Trezor devices received fraudulent letters urging them to complete urgent “authentication” or “transaction” checks, with attackers attempting to trick recipients into revealing sensitive wallet information.
Cybersecurity expert Dmitry Smilyanets was among the first to point out the latest wave of letters after receiving one on Feb. 13 that appeared to be from Trezor. The letter instructed users to perform an “Authentication Check” by Feb. 15 or risk having their device restricted. It included a hologram and a QR code, which helped add a veneer of legitimacy.
However, the QR code reportedly directed users to a malicious website designed to mimic official wallet setup pages. The letter was also falsely presented as being signed by Matěj Žák, who was incorrectly described as the CEO of Ledger. In reality, Žák is the CEO of Trezor.
Similar tactics were reported by Ledger users as far back as last October, when recipients received letters claiming they needed to complete mandatory “Transaction Check” procedures. In both cases, scanning the QR code led victims to spoofed websites that prompted them to enter their wallet recovery phrases. Once submitted, the seed phrases were transmitted to threat actors via a backend API, which allowed them to import the wallets and drain funds.
Both Ledger and Trezor have consistently warned that legitimate hardware wallet providers will never ask users to share their recovery phrases, whether through websites, email, phone calls, or physical mail. A recovery phrase is effectively the master key to a crypto wallet, and anyone with access to it can control the associated funds.
The resurgence of physical mail phishing now forms part of the trend where scams continue to grow rather than disappear during market downturns. According to Deddy Lavid, CEO of cybersecurity firm Cyvers, crypto scams historically do not decline in bear markets but instead adapt. He shared that while speculative hacks may slow during periods of lower market activity, social engineering and impersonation schemes often increase. During downturns, users may be more anxious and more vulnerable to fear-based tactics, like fake compliance letters or urgent wallet alerts.
These latest incidents are part of a longer pattern of data breaches and targeted attacks affecting hardware wallet customers. Ledger and its third-party partners have experienced multiple data leaks over the past several years, which exposed customer information including physical addresses. Trezor also reported a security breach in January of 2024 that exposed the contact details of nearly 66,000 customers.
Announcement from Trezor
Figure Breach Exposes Customer Information
Data breaches are not exclusive to hardware wallet providers. Figure Technology, a blockchain-based lending firm, reportedly suffered a data breach after attackers successfully carried out a social-engineering scheme targeting one of its employees.
According to a company spokesperson who spoke to TechCrunch, the breach allowed hackers to access “a limited number of files.” The company started notifying affected individuals and is offering free credit-monitoring services to those who receive official breach notifications.
The full scope of the incident is still unclear. Figure has also not publicly disclosed how many customers were affected or when the intrusion was first detected.
Responsibility for the attack was claimed by the hacking collective ShinyHunters, which posted about the breach on its dark-web leak site. The group alleged that Figure declined to pay a ransom demand and subsequently published approximately 2.5 gigabytes of data that it claims was exfiltrated from the company’s systems. TechCrunch reported that it reviewed samples of the leaked material, which included customers’ full names, residential addresses, dates of birth and phone numbers. This kind of information can be highly valuable for identity theft, targeted phishing campaigns and other forms of financial fraud.
The breach comes during a time of shifting trends in crypto-related phishing activity. According to data from Web3 security firm Scam Sniffer, phishing attacks linked to wallet drainers declined sharply in 2025. Total reported losses fell to $83.85 million, which is an 83% drop from nearly $494 million in 2024. The number of victims also decreased by about 68% year over year to roughly 106,000 across Ethereum Virtual Machine chains.
However, researchers warned that the decline does not signal the end of phishing threats. Instead, losses have closely mirrored overall market conditions. Periods of heightened on-chain trading activity tend to coincide with spikes in phishing-related losses, while quieter market conditions often see reduced totals. During the third quarter of 2025, when Ethereum experienced its strongest rally of the year, phishing losses reached their highest quarterly total at $31 million. Monthly losses during the year ranged from as little as $2.04 million in December to $12.17 million in August.
Source: https://coinpaper.com/14666/fraudsters-target-ledger-and-trezor-users-by-post
