A new crypto scam is sweeping through the community—this time in the form of fake physical letters impersonating Ledger. The fraudulent letters, sent via USPS, warn recipients to “validate” their wallets or face account suspension. Included QR codes direct users to phishing sites designed to steal recovery phrases or private keys.
The scam first came to light when BitGo CEO Mike Belshe posted an image of the deceptive letter online, raising concerns about the evolving sophistication of crypto-related phishing attacks. Users like Troy Lindsey also confirmed receiving the same letter, emphasizing that the contents are entirely fake and dangerous.
This method signals a new shift in tactics, moving beyond emails and text messages to physical social engineering. It’s part of a larger trend: In April, an elderly individual lost $330 million in Bitcoin to scammers running a fraudulent call center in the UK. At the same time, Coinbase revealed an internal data leak, with attackers demanding a $20 million ransom. Though no wallets were compromised, customer contact information was exposed, prompting harsh criticism from figures like TechCrunch founder Michael Arrington.
In addition to mail-based phishing, bad actors are targeting macOS users through fake versions of Ledger Live, the official wallet management app. According to cybersecurity firm Moonlock, these clones trick users into entering their seed phrases through pop-up prompts. Once entered, this information is sent directly to attacker-controlled servers.
Moonlock attributes the campaign to the “Atomic macOS Stealer,” a malware strain capable of harvesting sensitive information from over 2,800 compromised websites. These fake apps are designed to imitate the real Ledger Live interface closely, making them difficult to detect.
The combined threat of physical phishing letters and digital clones signals a new level of danger for crypto holders. Experts urge users to verify all wallet-related communications through official channels and avoid entering their seed phrases unless prompted by a trusted source.
