Crypto wallet owners using Ledger hardware wallets are being targeted through physical mail, with scammers impersonating the company in a campaign designed to steal recovery seed phrases. The operation uses printed letters that look official, complete with Ledger branding, a reference number, and a fake security notice warning recipients about an urgent “Quantum Resistance” update.
One example of the scam circulating online shows an Italian language version addressed to a customer in Italy, suggesting the attackers are tailoring the campaign based on regional customer data. The letter claims users must complete a mandatory security upgrade for their Ledger device before a deadline or risk losing wallet functionality.
The letter includes a QR code that routes victims to a phishing website. From there, users are asked to enter their 24-word recovery seed phrase, the single piece of information that gives full access to a crypto wallet. Once entered, attackers can immediately drain stored cryptocurrency assets.
The fake notice is signed in the name of Ledger CTO Charles Guillemet and references a supposed “Quantum Resistance” security system meant to defend wallets against quantum computing threats. The wording attempts to create urgency by warning users that failure to complete the update may disrupt wallet access and disable certain features.
It is worth noting that although the letter includes Ledger’s corporate address in Paris, France, the recipient shown in the circulating example appears to be based in Italy. The document is fully written in Italian, which suggests the campaign is targeting users in multiple countries with localized versions rather than focusing only on French customers.
Ledger has publicly confirmed that physical phishing campaigns targeting crypto holders are active. In its support advisory, the company warns customers that any message, email, social media account, or physical letter requesting a recovery phrase is fraudulent.
The company also repeated a rule long emphasized by hardware wallet vendors across the crypto industry: recovery phrases should never be shared with anyone under any circumstances. Ledger stated that it will never ask users to reveal their 24-word secret phrase, whether through a website, QR code, phone call, or printed document.
Attention is also turning toward the source of the mailing data. Researchers and crypto community members suspect the information may have originated from the January 2026 breach involving Global-e, Ledger’s e-commerce processing partner. While that connection has not been officially confirmed, the localized nature of the letters has fueled speculation that attackers had access to customer shipping and regional order data.
This is not the first time Ledger users have faced targeted phishing attempts after customer information leaks. Previous campaigns have included fake firmware updates, cloned Ledger Live applications, phishing emails, and counterfeit hardware wallets designed to harvest seed phrases.
For affected users, the safest response is straightforward. Do not scan the QR code, do not visit the linked site, and never enter a recovery phrase anywhere outside the initial wallet recovery process on a trusted device. Anyone who has already submitted their seed phrase should immediately transfer funds to a newly created wallet with a fresh recovery phrase before attackers gain access.
