TLDR:
- Scammers are sending physical letters to Ledger hardware wallet owners asking for seed phrases
- The letters claim to be from Ledger requiring a “critical security update”
- Victims are asked to scan QR codes and enter their wallet recovery phrases
- This scam may be connected to a 2020 Ledger database leak of 270,000 users’ information
- Ledger confirms these are scams and reminds users they never request recovery phrases
Scammers have begun mailing physical letters to owners of Ledger hardware wallets in an attempt to steal their private seed phrases and gain access to their funds.
The fraudulent letters, disguised as official communications from Ledger, request users to validate their private recovery phrases under the false premise of performing a “critical security update.”
Tech commentator Jacob Canfield brought attention to this scam on April 29, 2025, when he shared on X (formerly Twitter) a letter he received that appeared to be from Ledger. The letter used Ledger’s logo and business address to create a facade of legitimacy.
The fraudulent mail urges recipients to scan a QR code and enter their wallet’s private recovery phrase. It even includes a threat that “failure to complete this mandatory validation process may result in restricted access to your wallet and funds.”
Breaking: New scam meta launched. Now they’re sending physical letters to the @Ledger addresses database leak requesting an ‘upgrade’ due to a security risk.
Be very cautious and warn any friends or family that you know is in crypto and is not that savvy. pic.twitter.com/XoUAGQBJXt
— Jacob Canfield (@JacobCanfield) April 28, 2025
For the uninitiated, a seed phrase or recovery phrase is a string of up to 24 words that provides full access to a cryptocurrency wallet. Anyone who obtains this phrase can control the wallet and transfer all funds out of it.
Connection to Previous Data Breach
This latest scam may be linked to a major security breach Ledger experienced in 2020. During that incident, a hacker accessed Ledger’s database and leaked the personal information of more than 270,000 customers online. The exposed data included names, phone numbers, and home addresses.
Canfield suggested that the scammers are targeting users whose information was compromised in that data breach. This would explain how scammers obtained the physical addresses needed to send these fraudulent letters.
This isn’t the first time Ledger users have been targeted through physical mail. In 2021, following the data leak, some Ledger users reported receiving counterfeit Ledger devices in the mail that had been tampered with to install malware when connected to a computer.
Ledger’s Response
In response to Canfield’s post about the letter, Ledger confirmed it was a scam and warned users to remain vigilant against such phishing attempts. The company emphasized that it would “never call, DM [direct message], or ask for your 24-word recovery phrase. If someone does, it’s a scam.”
Ledger also advised users not to engage with accounts claiming to be Ledger employees or anyone offering to help recover funds. The company acknowledged that “scammers impersonating Ledger and Ledger representatives are unfortunately common.”
The crypto wallet provider has faced various security challenges over the years, including supply chain attacks and numerous phishing campaigns targeting its users. As Canfield pointed out, Ledger might need to update their security warnings to specifically include letters alongside direct messages and phone calls.
For Ledger users and cryptocurrency holders in general, this incident serves as a reminder of the importance of protecting seed phrases. Security experts consistently advise that recovery phrases should never be shared with anyone under any circumstances.
Users who receive such letters should report them to Ledger and local authorities. The company continues to advise customers to stay cautious and keep their crypto safe by guarding their recovery phrases.
The most recent reports indicate that multiple Ledger users have received these fraudulent letters, suggesting this is not an isolated incident but rather a coordinated campaign targeting cryptocurrency holders.
