SoloLuck

The Fake Ledger Letter: How the Recovery-Phrase Mail Scam Works

← back to pool

SoloLuck Blog · 2026-07-01

What the fake letter looks like

Imagine opening your mailbox and finding a printed letter that appears to come from Ledger, the hardware-wallet maker. It carries the company logo, a real-looking business address, and an official reference number. Some versions are even signed with the name of a real Ledger executive to seem more trustworthy. It feels legitimate, and that is exactly the point.

The letter usually claims your wallet needs an urgent action: a critical security update, a Transaction Check, an Authentication Check, a device you must validate or verify, or a new Quantum Resistance upgrade. It presses you with a deadline, warning that if you do not comply in time you could lose access to your wallet. Documented waves used deadlines such as 15 October 2025.

To act, the letter tells you to scan a printed QR code or type a web address into your browser. One quiet detail undercuts the whole thing: Ledger has publicly confirmed this scam and notes that it almost never sends physical mail to customers at all.

Why it already knows your name and address

The letter is unsettling because it may carry your real full name, your home address, and even your phone number. That does not make it genuine. It means your details were leaked years ago.

In 2020, a Ledger customer database was breached through a vulnerable website interface. The problem was disclosed that summer, and the data was later dumped publicly on a hacker forum. Roughly one million email addresses were exposed, and about 272,000 records contained the full names, postal addresses, and phone numbers of people who had actually bought a device.

Here is the reassuring part: no recovery phrases, PINs, or funds were in that breach, only contact and identity information. But that contact data is precisely what lets a criminal print a personalized letter and mail it to a known wallet owner's door. So "it has my real details" is not proof that a message is real. With a breach behind it, that is exactly what you should expect a scam to look like.

How the theft actually happens

The QR code or web address leads to a lookalike website built to imitate Ledger. The page asks you to enter your 24-word Secret Recovery Phrase, framed as a way to "verify," "validate," "restore," or "secure" your wallet.

The moment you type those words in, they are sent straight to the attacker. With your 24 words, a thief can rebuild your private keys in their own software and move every coin out, often within minutes. Bitcoin transactions are irreversible: there is no bank to call, no chargeback, and no way to undo it.

Notice the shape of the trick, because it repeats everywhere: a breach supplies your details, a trusted-looking channel delivers the lure, a deadline creates panic, a lookalike page collects your seed, and the drain follows instantly. Recognize that pattern once and you will spot it by email, SMS, phone call, or app the next time.

If you only scanned and looked, you're safe

This is the part that calms most people down, and it is technically true: scanning the QR code or opening the page does not, by itself, empty your wallet. A hardware wallet generates and stores your private keys offline, inside a secure chip, and they never leave the device. A website has no way to reach in and pull them out.

The scam only works if you take the final step, typing your 24 words into the fake site. So if you scanned the code, looked at the page, and entered nothing, your keys are intact and your funds are safe. You do not need to panic or move anything.

One honest caveat: "safe" assumes you entered nothing and installed nothing. A malicious link can also try to serve a malware download or exploit your browser, so the right posture is still simple: do not scan it and do not visit it. The reassurance is about not panicking, not an invitation to poke at the trap.

The one rule that defeats every version

If you remember only one sentence, make it this: no legitimate wallet company will ever ask for your recovery phrase, not by letter, website, QR code, email, phone, WhatsApp, or Telegram. Ledger and Trezor both state this plainly. Your 24 words are entered only directly on your hardware device when you restore it, never into any website, computer, or phone.

For what it is worth, this is also why a non-custodial service like SoloLuck never asks for your keys or your recovery phrase. You keep custody, and nobody legitimate ever needs those words but you.

What to do if a letter arrives

If one of these letters shows up, keep it simple and calm:

And if you already typed your recovery phrase into a site like this, act quickly rather than freeze: assume the wallet is compromised. Using your device offline, create a brand-new wallet with a newly generated recovery phrase, and move any funds to it right away. The old seed can never be trusted again, and drains happen in minutes, so speed matters more than perfection here.

FAQ

Can scanning the QR code or opening the page steal my coins by itself?
No. Simply scanning the code or opening the web page cannot reach into your hardware wallet. Your private keys are stored offline inside the device and never leave it. Theft only happens if you type your 24-word recovery phrase into the fake site. That said, still do not scan or visit these links, since a malicious page can also try to push malware or exploit your browser.
Will Ledger, Trezor, or any wallet maker ever ask for my recovery phrase?
Never. No legitimate wallet company, exchange, or pool will ever ask for your recovery phrase, whether by letter, website, QR code, email, phone, or chat app. Your 24 words are entered only directly on your hardware device when you restore it. Anyone who asks for them by any other means is trying to rob you.
The letter has my real name and home address. Doesn't that prove it's genuine?
No. A 2020 Ledger data breach exposed the names, postal addresses, and phone numbers of about 272,000 customers, along with roughly a million email addresses. No recovery phrases were leaked, but that contact data is exactly what lets scammers mail personalized letters. Having your real details is what you should expect from a scam, not proof of legitimacy.
I already entered my recovery phrase on the site. What should I do?
Assume your wallet is compromised and act fast. Using your device offline, create a brand-new wallet with a newly generated recovery phrase, then move any funds to it immediately. Never reuse the old seed phrase again. Drains often happen within minutes, so speed matters more than getting everything perfect.
How did the scammers get my mailing address in the first place?
Most likely from a past data breach of customer records. Leaked contact information circulates for years, so any hardware-wallet owner should assume their name and address could be used to target them across mail, email, SMS, and phone calls. Stay skeptical of all unsolicited wallet-related contact.

All blog posts · Mining guides · Start solo mining

Ready to take a ticket?

Paste your address and copy the config from /setup, watch the pool on /status, and check every claim on /verify. Mine to your own address — that is what makes it truly solo.

Get the setup config →

Not ready to point a miner yet? Run your gear through the odds calculator, or join Telegram for block & record alerts — no rig required.

More guides

Browse all guides →