Scammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases

Summary

Scammers are conducting a targeted physical phishing campaign against Ledger hardware wallet users in Italy, sending official-looking letters that impersonate Ledger and include QR codes directing victims to phishing sites where they're tricked into revealing their 24-word recovery seed phrases. The campaign leverages localized Italian language letters and references to fake "Quantum Resistance" security updates to create urgency. Ledger has publicly warned users that the company never requests seed phrases and suspects the attacker mailing list originated from a January 2026 breach of Global-e, Ledger's e-commerce processing partner.

Full text

Scams and Fraud Phishing Scam SecurityScammers Send Physical Phishing Letters to Steal Ledger Wallet Seed Phrases Scammers are mailing fake Ledger phishing letters to users in Italy with QR codes that trick crypto wallet users into revealing seed phrases. byWaqasMay 17, 20262 minute read Crypto wallet owners using Ledger hardware wallets are being targeted through physical mail, with scammers impersonating the company in a campaign designed to steal recovery seed phrases. The operation uses printed letters that look official, complete with Ledger branding, a reference number, and a fake security notice warning recipients about an urgent “Quantum Resistance” update. One example of the scam circulating online shows an Italian language version addressed to a customer in Italy, suggesting the attackers are tailoring the campaign based on regional customer data. The letter claims users must complete a mandatory security upgrade for their Ledger device before a deadline or risk losing wallet functionality. The letter includes a QR code that routes victims to a phishing website. From there, users are asked to enter their 24-word recovery seed phrase, the single piece of information that gives full access to a crypto wallet. Once entered, attackers can immediately drain stored cryptocurrency assets. The fake notice is signed in the name of Ledger CTO Charles Guillemet and references a supposed “Quantum Resistance” security system meant to defend wallets against quantum computing threats. The wording attempts to create urgency by warning users that failure to complete the update may disrupt wallet access and disable certain features. It is worth noting that although the letter includes Ledger’s corporate address in Paris, France, the recipient shown in the circulating example appears to be based in Italy. The document is fully written in Italian, which suggests the campaign is targeting users in multiple countries with localized versions rather than focusing only on French customers. The fake letter (Screenshot credit: @IntCyberDigest on X) Ledger has publicly confirmed that physical phishing campaigns targeting crypto holders are active. In its support advisory, the company warns customers that any message, email, social media account, or physical letter requesting a recovery phrase is fraudulent. The company also repeated a rule long emphasized by hardware wallet vendors across the crypto industry: recovery phrases should never be shared with anyone under any circumstances. Ledger stated that it will never ask users to reveal their 24-word secret phrase, whether through a website, QR code, phone call, or printed document. Attention is also turning toward the source of the mailing data. Researchers and crypto community members suspect the information may have originated from the January 2026 breach involving Global-e, Ledger’s e-commerce processing partner. While that connection has not been officially confirmed, the localized nature of the letters has fueled speculation that attackers had access to customer shipping and regional order data. This is not the first time Ledger users have faced targeted phishing attempts after customer information leaks. Previous campaigns have included fake firmware updates, cloned Ledger Live applications, phishing emails, and counterfeit hardware wallets designed to harvest seed phrases. For affected users, the safest response is straightforward. Do not scan the QR code, do not visit the linked site, and never enter a recovery phrase anywhere outside the initial wallet recovery process on a trusted device. Anyone who has already submitted their seed phrase should immediately transfer funds to a newly created wallet with a fresh recovery phrase before attackers gain access. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts CryptoCyber AttackCybersecurityFranceFraudItalyLedgerPhishingPrivacyQRQR CodeScam Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware ConnectWise ScreenConnect Tops List of Abused RATs in 2025 Attacks Cofense Intelligence's May 2025 report exposes how cybercriminals are abusing legitimate Remote Access Tools (RATs) like ConnectWise and Splashtop to deliver malware and steal data. Learn about this growing threat. byDeeba Ahmed Read More Security Microsoft Privacy Researcher Shows Edge Browser Stores Saved Passwords in Plaintext Cybersecurity expert Tom Rønning finds Microsoft Edge loads all saved passwords into computer memory as cleartext, making them easy for hackers to steal. byDeeba Ahmed Security Android Malware Super Free Music Player Android App Comes with Malware Infection A music app in the Google Play Store called Super Free Music Player turns out to be yet… byAli Raza Security Malware DarkGate: New password stealer & cryptomining malware hits Windows devices “DarkGate” malware uses Akamai, AWS DNS records and multiple payloads for cryptomining, credential theft and endpoint takeover. A… byWaqas

Indicators of Compromise

• malware — Ledger Phishing Campaign

Entities