Scammers Send Fake Ledger Letters in Latest Crypto Phishing Scheme

Key Takeaways:

• Scammers are mailing fake Ledger letters via USPS, urging crypto users to “validate” wallets to steal private keys.
• Physical phishing tactics mark a shift from online-only attacks, raising new concerns for crypto security.
• Fake Ledger Live apps are targeting macOS users with trojanized malware designed to steal recovery phrases.

A new phishing scam is targeting crypto holders through traditional mail, with scammers impersonating hardware wallet maker Ledger and sending fake letters urging users to “validate” their wallets or risk losing access to funds.

BitGo CEO Mike Belshe was among the first to flag the attack, sharing an image of the fraudulent letter, which included a QR code — likely linked to a phishing site designed to steal private keys.

The letters have reportedly been delivered via the United States Postal Service (USPS), signaling a shift in tactics from digital to physical social engineering.

Troy Lindsey, another recipient of the letter, warned others on social media: “These are all scams. Do not fall for any of these.”

I got the same one last week I took and had @grok analyze it. These are all scams do not fall for any of these!! pic.twitter.com/ZFNpQpujqA

The warning echoes growing concerns about phishing schemes that leverage physical credibility to trick crypto users into exposing sensitive data.

The attack comes amid a rise in crypto-related phishing cases. In April, $330 million in Bitcoin was stolen from an elderly victim, a heist confirmed by blockchain investigator ZackXBT.

He linked the crime to individuals operating from a scam call center in Camden, UK.

Meanwhile, Coinbase disclosed earlier this month that it was the target of a ransom attempt after customer support contractors leaked user data.

The attackers demanded $20 million, which the exchange refused to pay. While Coinbase stated that no private keys or account access were compromised, the leaked data included names and contact information.

TechCrunch founder Michael Arrington criticized the exchange, warning that breaches of this kind could lead to real-world harm for exposed customers.

Last week, cybersecurity firm Moonlock warned that a wave of malware attacks targeting macOS users is exploiting trust in Ledger Live, a popular crypto wallet management app.

Moonlock warned that malicious actors are using trojanized clones of Ledger Live to trick users into entering their recovery phrases through convincing pop-ups.

“Within a year, they have learned to steal seed phrases and empty the wallets of their victims,” the team stated, noting a major evolution in the threat.

One of the primary infection vectors is the Atomic macOS Stealer, a tool designed to exfiltrate sensitive data such as passwords, notes, and crypto wallet details.

Moonlock discovered it embedded across at least 2,800 compromised websites.

Once installed, the malware quietly replaces the genuine Ledger Live app with a fake one that triggers fake alerts to harvest seed phrases.

The moment a user enters their 24-word recovery phrase into the phony app, the information is sent to servers controlled by the attacker.

The post Scammers Send Fake Ledger Letters in Latest Crypto Phishing Scheme appeared first on Cryptonews.