Crypto hackers send virtual characters impersonating Trezor and Ledger to steal crypto wallet recovery phrases.
Summary
- Hackers send fake Trezor and Ledger via QR codes for phishing.
- The sites ask for recovery phrases and give the attackers full control of the wallet.
- Hardware wallet firms never ask users to share seed phrases.
Recipients of phishing campaign claims must complete the mandatory “Verification Check” or “Transaction Check” procedures.
Hackers are also creating a rush for the February 15, 2026 Trezor deadline. Letters printed on legitimate-looking letterhead direct users to scan QR codes that lead to malicious websites.
Phishing sites ask for 24-, 20-, or 12-character recovery phrases under the guise of verifying device identity.
Once installed, the rescue phrases are transmitted to threat actors through API endpoints, giving attackers full control over victims’ wallets and funds.
Both hardware wallet companies have experienced data breaches in recent years that exposed customer contact information.
Phishing sites create urgency with operational alerts
Cybersecurity expert Dmitry Smilyanets found a fake Trezor letter warning that failure to complete the verification will result in the device losing functionality.
“To avoid any disruption to your Trezor Suite access, please scan the QR code with your mobile phone and follow the instructions on our website,” the letter said.
Trezor’s phishing site displays warnings about limited access, transactional signing errors, and disruptions to upcoming updates.
The same Ledger-themed book distributed in X, states that Auditing of Transactions will be mandatory.
Phishing pages allow users to enter recovery phrases in multiple formats, falsely verify device identity and enable authentication features.
When victims enter recovery phrases, the data is transferred to a phishing site. Attackers load the wallet into their machines and withdraw money.
The letters create a false sense of urgency by requiring devices purchased after November 30, 2025 to come pre-configured, forcing early buyers to act.
Crypto hardware wallet companies never ask for recovery phrases
Phishing campaigns targeting hardware wallet users remain rare. Crypto hackers are mailing modified Ledger devices in 2021 designed to steal recovery phrases during setup. A similar mailing campaign targeting Ledger users was reported in April.
Whoever has access to the wallet gets full control over the wallet and all funds. Trezor and Ledger never ask users to enter, scan, upload, or share recovery phrases through any channel.
Recovery phrases should only be entered directly into the hardware wallet devices when restoring the wallet, not into computers, mobile devices, or websites.
The identification criteria for visible characters remain unclear. However, previous data breaches of both companies exposed customer email addresses and contact information to potential attackers.
