In February 2026, Trezor hardware wallet owners started receiving letters. Trezor letterhead. Holographic seal. A US postmark. The letter said "authentication check" was becoming mandatory — scan the QR code by February 15th or lose access to Trezor Suite. It was signed with the name of Trezor CEO Matěj Žák.
Except it labeled him as Ledger's CEO. And the QR code led to trezor.authentication-check[.]io.
BleepingComputer first reported the campaign on February 14, 2026, after security researcher Dmitry Smilyanets posted a photo of the letter to X. A parallel campaign was running simultaneously — Ledger-branded letters pointing to ledger.setuptransactioncheck[.]com, different deadline, same goal.
The goal was always the same: get your 24-word seed phrase.
What the Letter Wanted
The site behind the QR code presented a single form. "Verify device ownership to enable Authentication Check." Enter your recovery phrase to proceed.
That's the scam in its entirety. Submit the phrase, and your wallet is gone. The credentials go straight to the attacker. Crypto transactions are irreversible, wallet addresses are pseudonymous, and there is no customer support department that gives it back.
Both domains are now down. Google Chrome added dangerous-site warnings before the takedowns. The sites remained accessible even with those warnings displayed.
Why Your Seed Phrase Is Your Whole Wallet
The seed phrase is not a password. It's not a PIN. It doesn't authenticate you to a service that can lock an account or freeze a transaction.
It is the master key that generates every private key your wallet uses. Your crypto doesn't live on your Trezor or Ledger device — it lives on the blockchain. The device manages the keys. Anyone with your seed phrase can restore your wallet on any compatible device, anywhere, immediately, and take everything in it. There is no recovery. No chargeback. No appeal.
Ledger's official guidance is unambiguous: "We will never ask for it, nor should anyone else." Trezor's position is identical — they will never contact you first, and they will never ask for your backup phrase under any circumstances.
A letter in the post asking for it is a scam. Full stop, no exceptions.
Where They Got Your Address
These weren't random mailings. The addresses came from somewhere specific, and that somewhere is well-documented.
In July 2020, an unauthorized third party accessed Ledger's e-commerce database through an exposed API key belonging to a third-party contractor. Ledger disclosed the breach: 272,000 customers had their full names, postal addresses, phone numbers, and order details exposed. Another million email addresses were taken without the associated physical data.
Then in December 2020, the full dataset was dumped for free on RaidForums. Not sold — given away to anyone who wanted it. 272,000 verified crypto hardware wallet owners, complete with home addresses. That data has been in circulation ever since. It doesn't expire. People who bought Ledger hardware in 2017 still live at most of those addresses.
Then January 2026 happened. Ledger disclosed a breach at Global-e, a third-party international e-commerce platform used to process orders on Ledger.com. Names and contact information of affected customers were exposed. The incident was disclosed January 5th — weeks before the February letters started arriving.
Trezor's exposure is different in character. A January 2024 breach of Trezor's support portal exposed names and email addresses for roughly 66,000 customers who had contacted support since late 2021. No physical addresses in that one — but it confirmed identity as a Trezor owner. Cross-reference against the Ledger dump or a data broker database and you have a usable mailing list.
Your digital footprint extends further than most people realize. An email address tied to a crypto purchase in 2019. A home address that shows up in three broker databases. A leaked database that connects both. Criminals connect those dots. This is exactly the kind of enrichment that infostealers and data resellers make routine.
Inside the Infrastructure
The domain construction was deliberate. trezor.authentication-check[.]io — not authentication-check.trezor.io. Put the brand name at the front, and casual readers don't look at what follows. It's a well-worn tactic that keeps working because it keeps working.
The backend endpoint where seed phrases landed: trezor.authentication-check[.]io/black/api/send.php. Recovery phrases submitted through the form were forwarded in real time to the attacker via a Telegram bot — a standard setup in modern phishing kits. The attacker gets an instant message with every victim's submission.
Researchers who examined the site while it was live found the Telegram bot token exposed directly in the page source — a basic operational security failure that revealed the exfiltration channel to anyone who viewed the source code. It's consistent with the general sloppiness visible elsewhere in the campaign: a Trezor letter signed by someone labeled as the Ledger CEO, a deadline that had already passed on the Ledger-branded version.
This Happened Before
The 2026 campaign is a refinement of something that ran in 2021 — using the same breach data, against the same population, with slightly more polish.
After the Ledger address database hit RaidForums in December 2020, attackers mailed fake Ledger Nano X hardware wallets to customers. Professional packaging, shrink-wrapped, authentic Ledger branding. Inside was a device with a soldered flash drive and a fake "Ledger Live" app. The app asked users to enter their recovery phrase to initialize the wallet. CoinDesk documented the campaign in June 2021. Some people fell for it.
Physical mail is effective precisely because it bypasses everything email security has built up over 20 years — spam filters, domain reputation scores, link-scanning proxies. It also carries a different kind of threat signal. A letter with your name and home address doesn't just ask you to do something. It tells you they already know where to find you. That unsettles people in a way that a phishing email doesn't, and that reaction is useful to an attacker.
What to Do
If you received one of these letters: put it in the bin. Do not scan the QR code, do not type the URL manually, do not enter anything on any site it leads to. Trezor and Ledger will never send unsolicited mail asking you to verify your device or your recovery phrase. This applies to every hardware wallet manufacturer. No legitimate company in this space will ever initiate contact asking for your seed words.
If you entered your seed phrase anywhere: treat the wallet as fully compromised. Move all funds to a wallet generated fresh on a clean device — immediately, not later. The steps to take when you've been phished are the right starting point.
Check Have I Been Pwned for the Ledger breach. If your email is in it, your physical address may be in circulation too. That's a reasonable basis for treating anything referencing your hardware wallet — by post, email, or phone — as suspect until verified through official channels only.
The broader question is how your home address ended up in these databases in the first place. Data brokers aggregate and sell physical addresses legally, and they can be cross-referenced against email lists from breaches to build targeted profiles. If you haven't thought about what's sitting in those databases with your name on it, it's worth a look. The Ledger breach gave attackers a starting point. Data brokers fill in the rest.
