From Inbox to Mailbox: Crypto Scams Go Physical With USPS
A new wave of phishing attacks is exploiting an old-fashioned delivery method: the US Postal Service.
Scammers posing as hardware wallet manufacturer Ledger are mailing counterfeit letters that urge recipients to “validate” their wallets—or risk losing access to their crypto funds.
The deceptive letters, flagged by BitGo CEO Mike Belshe, contain a QR code that likely directs victims to a phishing site designed to harvest private keys.
Phishing attempt through the US Post Office. pic.twitter.com/gJwYCZrxbE
— Mike Belshe (@mikebelshe) May 23, 2025
This marks a troubling evolution in phishing tactics, shifting from purely digital deception to physical social engineering.
Folks taking this one from @mikebelshe thank you for sharing with the crypto community! This is a great looking scam one a lot of people may fall for, delivered right from US postal services.
As a Ledger user I had to read through this. Scams are getting better and better. Even… pic.twitter.com/Nn8UYShCls
— Moon Jay 🚀 🇨🇦 (@Hizakmoon) May 24, 2025
Another recipient, Troy Lindsey, echoed the warning on social media, underscoring the growing threat posed by scams that leverage the perceived legitimacy of physical mail:
“These are all scams. Do not fall for any of these.”
I got the same one ☝️ last week I took and had @grok analyze it. These are all scams do not fall for any of these!! pic.twitter.com/ZFNpQpujqA
— Troy Lindsey (@TroyandOlga) May 24, 2025
The incident surfaces at a time of rising crypto-related fraud.
In April, blockchain sleuth ZackXBT confirmed that $330 million in Bitcoin had been stolen from an elderly victim—an elaborate scam traced to a UK-based call center.
Update: It is confirmed to be a social engineering theft from an elderly individual in the US.
— ZachXBT (@zachxbt) April 30, 2025
More recently, Coinbase revealed it had been the target of a $20 million extortion attempt following a contractor data breach.
While the exchange claimed no wallet credentials or account access were compromised, leaked user names and contact details sparked concern.
TechCrunch founder Michael Arrington criticised Coinbase for downplaying the risks, warning that exposed customers could face real-world threats.
Fake Ledger Live Apps Spread Malware on macOS
Cybersecurity firm Moonlock issued a stark warning last week: macOS users are now the target of a sophisticated phishing campaign involving fake versions of Ledger Live, the widely used crypto wallet management app. h
These trojanised clones are designed to mimic the legitimate software so convincingly that they trick users into entering their 24-word recovery phrases through deceptive pop-ups.
According to Moonlock, this marks a significant escalation in crypto-targeted malware:
“Within a year, they have learned to steal seed phrases and empty the wallets of their victims.”
At the heart of the campaign is the Atomic macOS Stealer—a potent data-exfiltration tool capable of harvesting everything from passwords and notes to cryptocurrency wallet credentials.
Cybercriminals are compromising websites to spread macOS malware again.
This time: Atomic Stealer hidden in fake password manager installers.
Don’t trust every download. Our latest report explains why.https://t.co/MnL0Sk2A3o#macOS #Malware #Cybersecurity #AtomicStealer
— Moonlock (@moonlock_com) May 20, 2025
The malware has been found embedded in at least 2,800 compromised websites.
Once installed, the malicious software silently replaces the authentic Ledger Live app with a counterfeit version.
It then pushes urgent-looking alerts prompting users to “verify” or “restore” their wallets.
The moment a user enters their recovery phrase, that critical data is transmitted directly to attacker-controlled servers.
This evolving attack vector underscores a troubling shift in crypto security threats—and a growing need for users to verify not just what they click, but where their software originates.
