Scammers are mailing physical letters to the owners of Ledger crypto hardware wallets asking them to validate their private seed phrases in a bid to access the wallets to clean them out.

In an April 29 X post, tech commentator Jacob Canfield shared a scam letter sent to his home via post that appeared to be from Ledger claiming he needed to immediately perform a “critical security update” on his device. 

The letter, which uses Ledger’s logo, business address, and a reference number to feign legitimacy, asks to scan a QR code and enter the wallet’s private recovery phrase under the guise of validating the device.

The letter threatens that “failure to complete this mandatory validation process may result in restricted access to your wallet and funds.”

Source: Jacob Canfield

A seed phrase, or recovery phrase, is a string of up to 24 words that unlocks access to a crypto wallet. A scammer with the phrase can access and control the associated wallet to transfer its holdings elsewhere.

Earlier this month, the X account of a crypto hardware wallet reseller said it had also received multiple reports of Ledger users receiving a similar letter.

In response to Canfield’s post, Ledger said the letter is a scam and cautioned its device users to stay vigilant against phishing attempts.

Related: Ledger wallet user reports 10 BTC loss — Community blames phishing

“Ledger will never call, DM [direct message], or ask for your 24-word recovery phrase. If someone does, it’s a scam,” it added.

“Please don’t engage with accounts claiming to be Ledger employees or anyone offering to help recover funds.”

Unclear whether connected to the Ledger’s data leak

Canfield suggested that scammers were sending letters to Ledger customers whose data was leaked nearly five years ago.

In July 2020, a hacker breached Ledger’s database and dumped the personal information of more than 270,000 of its customers online, which included names, phone numbers and home addresses

The following year, several Ledger users claimed to have been mailed fake Ledger devices that were tampered with and designed to install malware upon use, Bleeping Computer reported at the time.

Magazine: Your AI ‘digital twin’ can take meetings and comfort your loved ones