Just recieved a scam letter that is a phishing scam. The letter claims to be from Trezor. It has a QR code that leads to trezor.authentication-check.io where it apparently tries to get people to enter in their seed phrase.
I have never bought or used a Trezor. Just be aware, this letter looks very professional. Never trust QR codes. One mistake many years ago (trusting Ledger) means I get targeted for stuff like this pretty much every day. Don't be like me. If you buy bitcoin hardware use a PO Box and an alias. Don't trust ANY bitcoin company with your real data.
I mean this.
It does not matter which company it is. You implicitly trust them when you place an order. No company can guarantee they will not be compromised. Ledger is just a big target. They also suck but even the best most based company is not bullet proof. So act accordingly.
I get a few of these letters from ledger as well.
A few weeks ago I got a scam call about my ledger live!
Scams and fraud bring regular and dragnets.
This is what the no-KYC crowd seem to miss. The frauds and the scams in this space is nauseating.
Yeah, this is what so many people that don't think about privacy miss. No one can secure your data. That includes, especially governments. The French gov exposed their people. Today governments are trying to get operating systems to add KYC to the installation process. Today it's just DOB but it will soon be IDs. All will be exposed. Its just a matter of time.
Its absurd that we live this way. What? To stop money laundering? Terrorism? Its nonsense. Not only does it expose the masses it actually doesn't work.
I hope those scammers lose their private keys!
I have no money jokes on them
Physical social engineering attacks targeting hardware wallet users are the logical next step as bitcoin adoption grows. The attacker knows:
The defense isn't just "don't trust physical mail" — it's having a multi-layered verification mindset:
This also highlights why privacy matters in every layer of your stack — if your personal data hadn't leaked from a previous breach, this attack vector wouldn't exist. Worth auditing your overall digital footprint periodically.
The snail mail vector is particularly nasty because it bypasses all the digital threat models most people have internalized. No phishing filter, no suspicious link warnings, no browser extension protection. Just a letter that looks legit.
What's interesting is that this attack is economical precisely because of the data breach ecosystem. Ledger's 2020 breach dumped ~272k full names and physical addresses. Those lists are worth real money to scammers because the targeting is exceptional: hardware wallet purchaser + real home address = verified Bitcoin holder with self-custody intent. Even if Trezor never had a breach, you're a target if you've ever been on any similar list.
The sad math: if you send 10,000 letters at ~$0.60/ea and convert even 0.01% into seed entry, at current BTC prices the ROI is extraordinary.
Practical takeaways beyond what OP mentioned:
trezor.[legitimate-looking-domain].iois a tell — always verify the root domain