A sophisticated phishing scam is making its rounds—this time through old-fashioned mail. Scammers posing as Ledger, the hardware wallet provider, are sending fake letters through the U.S. Postal Service. These letters claim wallet access will be restricted unless users scan a QR code and validate their accounts. In reality, the QR codes link to malicious websites designed to harvest recovery phrases and private keys.

BitGo CEO Mike Belshe was one of the first to raise the alarm, sharing an image of the letter. Other victims have confirmed similar experiences. Security analysts believe this new method adds a dangerous twist by giving the phishing attempt a false sense of physical credibility.

The scam arrives amid rising threats to crypto users. In one recent case, scammers stole $330 million in Bitcoin from an elderly victim. Meanwhile, Coinbase faced a separate security breach when support contractors leaked user data—an incident that resulted in a $20 million extortion attempt. Though account access wasn’t compromised, the incident drew sharp criticism from high-profile figures like Michael Arrington.

Fake Ledger Live apps are also targeting macOS users. Cybersecurity firm Moonlock has flagged several trojanized versions of the app, which deceive users with realistic interfaces and pop-ups prompting them to enter their 24-word recovery phrase. Once provided, the credentials are sent directly to attackers.

These fake apps are distributed through the “Atomic macOS Stealer,” a powerful malware embedded on thousands of infected websites. Once installed, it swaps out the real Ledger Live for a lookalike, tricking users into exposing their funds.

With attackers now combining physical mail scams and malicious software, the threat landscape for crypto investors is rapidly evolving. Users should remain skeptical of any unexpected requests and confirm legitimacy directly through official Ledger channels.