New Crypto Theft Campaign Targets Ledger and Trezor Wallet Users
A recent surge in cryptocurrency-related scams has targeted users of popular hardware wallets, including Ledger and Trezor. According to reports, cybercriminals have shifted their tactics from traditional online phishing methods to a more sophisticated approach involving physical mail. This new campaign is designed to trick users into revealing sensitive information, such as recovery phrases, which can be used to steal their digital assets.
Physical Letters Used to Deceive Users
The scammers are sending out letters that appear to be official communications from Ledger and Trezor. These letters are printed on letterhead that mimics the branding of these companies, creating a false sense of legitimacy. The messages claim that users must undergo “mandatory checks” to maintain access to their wallet features. This tactic is intended to create a sense of urgency, pressuring recipients to act quickly without questioning the authenticity of the message.
In one example, a letter addressed to Trezor users urged them to complete an “authentication check” by February 15 or risk losing certain functionalities on their devices. The letter instructed users to scan a QR code that would lead them to a malicious website. Similarly, a letter targeting Ledger users claimed that a “transaction check” was required, with the same deadline.
Phishing Sites Created to Steal Recovery Phrases
Once users scan the QR code, they are directed to phishing websites that mimic the official domains of Ledger and Trezor. These sites are designed to look authentic, making it difficult for users to distinguish between real and fake pages. While the Ledger phishing site is currently offline, the Trezor phishing site remains active and has been flagged by browsers as a potential threat.
The warning message on the Trezor phishing site states that attackers may attempt to trick users into installing malicious software or revealing personal information, such as passwords, phone numbers, or credit card details. It also advises users to return to a safe website.
Before being flagged, the Trezor phishing site displayed a message urging users to complete the authentication check by the specified deadline. However, it also mentioned that certain models of Trezor wallets, such as the Safe 7, Safe 3, Safe 1, and Safe 5, were already preconfigured and did not require the check. Despite this, the site continued to push users toward completing the process.
How the Scam Works
If users proceed past the initial warnings, they are prompted to enter their recovery phrases. Scammers claim this information is needed to verify device ownership and enable authentication. However, once the recovery phrase is entered, it is sent to the scammers through a backend API endpoint.
Recovery phrases are crucial for accessing cryptocurrency wallets. They serve as the private keys that control access to funds. If a scammer gains access to this information, they can take full control of the wallet and drain its contents. Both Ledger and Trezor have repeatedly warned users that they will never ask for recovery phrases under any circumstances.
Recommendations for Users
Hardware wallet manufacturers emphasize that recovery phrases should only be entered directly on the hardware wallet device. Users are advised to remain vigilant and avoid clicking on links or scanning QR codes from unsolicited messages. Additionally, it is important to verify the authenticity of any communication by checking official company channels.
Final Tips for Staying Secure
- Never share your recovery phrase with anyone.
- Always double-check the source of any communication claiming to be from Ledger or Trezor.
- Avoid clicking on links or scanning QR codes from suspicious messages.
- Use two-factor authentication (2FA) where available.
- Keep your hardware wallet firmware updated to protect against vulnerabilities.
By staying informed and cautious, users can better protect themselves from these evolving threats.