Crypto users are facing a fresh wave of phishing scams—this time arriving through physical mailboxes. Scammers are posing as Ledger, the well-known hardware wallet manufacturer, and sending out forged letters via the U.S. Postal Service. These letters falsely claim users must “validate” their wallets or risk losing access to their funds. Accompanied by QR codes, these letters are believed to redirect recipients to phishing websites designed to steal private keys or recovery phrases.
The scam was first brought to light by BitGo CEO Mike Belshe, who shared a photo of one such letter on social media. Others in the crypto community, including user Troy Lindsey, quickly echoed the warning, urging people to treat such mail as fraudulent. The use of USPS marks a disturbing shift from digital-only tactics to physical social engineering, targeting victims with a false sense of legitimacy.
This new scam comes on the heels of a surge in phishing attacks targeting crypto users. In April, blockchain sleuth ZackXBT confirmed that a $330 million Bitcoin heist targeting an elderly individual originated from a UK-based scam call center. Around the same time, Coinbase revealed it had been the target of a $20 million extortion attempt after personal data was leaked by contracted support staff. While no wallets or keys were compromised, names and contact details were exposed—prompting concern from industry leaders. TechCrunch founder Michael Arrington went so far as to warn that such leaks could lead to real-world harm, not just digital theft.
Meanwhile, macOS users are also under attack through malicious Ledger Live clones. Cybersecurity firm Moonlock recently reported a rise in trojanized apps masquerading as the official Ledger Live software. These fake apps prompt users to enter their recovery seed phrases via fake pop-ups—an effective trick that has reportedly emptied numerous wallets. The malware at the center of this campaign, the Atomic macOS Stealer, has been embedded in over 2,800 compromised websites. Once downloaded, it quietly replaces the real app with a fake version designed to capture wallet credentials and transmit them to an attacker-controlled server.
The combination of physical phishing letters and software impersonation attacks underscores an evolving threat landscape for crypto holders. As scammers turn to more creative and convincing methods, users are advised to remain vigilant, verify all communications directly through official channels, and never input sensitive wallet information unless they are certain of a platform’s authenticity.
