A new type of scam is targeting crypto users, with attackers sending physical mails directly to hardware wallet owners – a fresh twist on a tactic traditionally deployed via email. According to reports, the scam specifically targets Ledger wallet users. In the official-looking letters bearing Ledger’s logo and business address, scammers falsely pose as the company’s “Security and Compliance” team. They urge recipients to scan a QR code and enter their 24-word recovery phrase to “validate” their device. The letters claim that the process is part of a “critical security update” and warn that failure to complete the “mandatory validation” could result in restricted access to wallets and funds. Those who fall for the trick risk losing all funds stored on their device. The information was first posted on X by Jacob Canfield, who urged readers to “be very cautious” and warn hard wallet users among friends and family who, otherwise, may not be crypto-savvy. Ledger was quick to respond in the comments, confirming that its customers were being affected. “You are correct, this is a scam. We appreciate your efforts to warn others. Please stay vigilant against phishing attempts,” the company said. The physical mail scheme exploits data from the 2020 customer address leak. In July 2020, Ledger’s e-commerce and marketing database was compromised due to a misconfigured third-party API, exposing the personal data of roughly 270,000 customers – including names, email addresses, phone numbers, and physical mail addresses. A subsequent dump on RaidForums contained 272,853 detailed buyer records, which scammers began freely sharing later that year.
