
Key Takeaways
- Ledger users are being targeted by physical mail scams requesting seed phrases.
- Scammers are using data from the 2020 Ledger breach that exposed 270,000 users.
- Ledger reiterates it never asks for 24-word recovery phrases in any form.
A new phishing scam has emerged targeting users of Ledger hardware wallets, this time using physical mail to exploit personal information leaked in a 2020 data breach.
Victims are receiving official-looking letters claiming to be from Ledger’s security team, warning of a “mandatory security update.”
Scam tactics & warnings
The letters instruct recipients to scan a QR code and enter their 24-word seed phrase — a move that would hand over full control of their wallets to scammers.
Ledger has reiterated that it never asks users to share recovery phrases under any circumstances.
Ledger stated in response to reports:
Ledger will never ask for your 24-word recovery phrase. If someone does, it’s a scam.
Initial reports & historical context
The scam was first reported on April 29 by tech analyst Jacob Canfield, who received one of the fraudulent letters at his home.
Canfield posted on X:
Scammers are sending physical letters to the @Ledger addresses database leak requesting an ‘upgrade’ due to a security risk.
Breaking: New scam meta launched. Now they’re sending physical letters to the @Ledger addresses database leak requesting an ‘upgrade’ due to a security risk.
— Jacob Canfield (@JacobCanfield) April 28, 2025
Be very cautious and warn any friends or family that you know is in crypto and is not that savvy. pic.twitter.com/XoUAGQBJXt
This phishing attempt exploits the Ledger data breach from 2020, in which over 270,000 users had their names, phone numbers, email addresses, and home addresses leaked.
While digital phishing attempts have been ongoing for years, this latest wave revives a previous tactic used in 2021, where scammers mailed tampered Ledger devices.
Ledger’s response & user advisory
Ledger has issued new warnings, urging users to remain vigilant and to ignore all unsolicited requests for recovery phrases, no matter how official they appear.