Fake Ledger Letters Surface in Brazen Crypto Phishing Play
Scammers are upping their game—this time impersonating Ledger with counterfeit letters targeting crypto holders. The latest scheme preys on hardware wallet users, blending old-school mail fraud with digital asset theft.
How it works: Victims receive physical letters mimicking Ledger’s branding, urging them to ’secure their assets’ via a malicious link. Classic social engineering—just with a postal twist.
Security experts warn these attacks are getting sophisticated. ’They’ve studied corporate comms down to the paper stock,’ says one blockchain analyst. Meanwhile, Ledger’s actual support team reiterates: they never ask for recovery phrases via mail—or any channel.
Another day, another crypto scam. At least Wall Street bankers wait until after lunch to pick your pockets.
Crypto Scammers Turn to USPS in Shift to Physical Phishing Attacks
The letters have reportedly been delivered via the United States Postal Service (USPS), signaling a shift in tactics from digital to physical social engineering.
Troy Lindsey, another recipient of the letter, warned others on social media: “These are all scams. Do not fall for any of these.”
I got the same one
last week I took and had @grok analyze it. These are all scams do not fall for any of these!! pic.twitter.com/ZFNpQpujqA
The warning echoes growing concerns about phishing schemes that leverage physical credibility to trick crypto users into exposing sensitive data.
The attack comes amid a rise in crypto-related phishing cases. In April, $330 million in Bitcoin was stolen from an elderly victim, a heist confirmed by blockchain investigator ZackXBT.
He linked the crime to individuals operating from a scam call center in Camden, UK.
Meanwhile, Coinbase disclosed earlier this month that it was the target of a ransom attempt after customer support contractors leaked user data.
The attackers demanded $20 million, which the exchange refused to pay. While Coinbase stated that no private keys or account access were compromised, the leaked data included names and contact information.
TechCrunch founder Michael Arrington criticized the exchange, warning that breaches of this kind could lead to real-world harm for exposed customers.
Fake Ledger Live Apps Target macOS Users
Last week, cybersecurity firm Moonlock warned that a wave of malware attacks targeting macOS users is exploiting trust in Ledger Live, a popular crypto wallet management app.
Moonlock warned that malicious actors are using trojanized clones of Ledger Live to trick users into entering their recovery phrases through convincing pop-ups.
“Within a year, they have learned to steal seed phrases and empty the wallets of their victims,” the team stated, noting a major evolution in the threat.
One of the primary infection vectors is the Atomic macOS Stealer, a tool designed to exfiltrate sensitive data such as passwords, notes, and crypto wallet details.
Moonlock discovered it embedded across at least 2,800 compromised websites.
Once installed, the malware quietly replaces the genuine Ledger Live app with a fake one that triggers fake alerts to harvest seed phrases.
The moment a user enters their 24-word recovery phrase into the phony app, the information is sent to servers controlled by the attacker.
