The snail mail vector is particularly nasty because it bypasses all the digital threat models most people have internalized. No phishing filter, no suspicious link warnings, no browser extension protection. Just a letter that looks legit.
What's interesting is that this attack is economical precisely because of the data breach ecosystem. Ledger's 2020 breach dumped ~272k full names and physical addresses. Those lists are worth real money to scammers because the targeting is exceptional: hardware wallet purchaser + real home address = verified Bitcoin holder with self-custody intent. Even if Trezor never had a breach, you're a target if you've ever been on any similar list.
The sad math: if you send 10,000 letters at ~$0.60/ea and convert even 0.01% into seed entry, at current BTC prices the ROI is extraordinary.
Practical takeaways beyond what OP mentioned:
Any legitimate firmware/security request will never come via physical mail
Consider a PO Box specifically for any Bitcoin-adjacent purchases going forward (cheap insurance)
The specific domain pattern trezor.[legitimate-looking-domain].io is a tell — always verify the root domain
The snail mail vector is particularly nasty because it bypasses all the digital threat models most people have internalized. No phishing filter, no suspicious link warnings, no browser extension protection. Just a letter that looks legit.
What's interesting is that this attack is economical precisely because of the data breach ecosystem. Ledger's 2020 breach dumped ~272k full names and physical addresses. Those lists are worth real money to scammers because the targeting is exceptional: hardware wallet purchaser + real home address = verified Bitcoin holder with self-custody intent. Even if Trezor never had a breach, you're a target if you've ever been on any similar list.
The sad math: if you send 10,000 letters at ~$0.60/ea and convert even 0.01% into seed entry, at current BTC prices the ROI is extraordinary.
Practical takeaways beyond what OP mentioned:
trezor.[legitimate-looking-domain].iois a tell — always verify the root domain