These QR Brushing Scams are starting to spread.

This new scheme involves receiving a letter in the mail from Trezor, a leading cryptocurrency hardware wallet provider. Official letterhead. Your name. Your address. Even a hologram.

It says you need to complete a mandatory "Authentication Check" by X date, or you'll lose access to your wallet.

There's a QR code. Scan it to get started.

It’s a scam of course. Here's how it works:

Scammers are sending physical letters to crypto hardware wallet owners, impersonating Trezor and Ledger's security teams. The letters look professional, including branded letterhead, urgent deadlines, official-sounding language. One letter even included a forged signature from Ledger's CEO on a letter pretending to be from Trezor.

The QR code takes you to a phishing site that mimics the official Trezor setup page. It walks you through a fake activation process, warns you about "limited access" if you don't comply, and then asks you to enter your 12-, 20-, or 24-word recovery phrase.

That's the kill shot.

Your recovery phrase IS your wallet. Anyone who has it can import your wallet onto their own device and transfer every coin you own. No customer support to call. No transaction to reverse. It's gone.

How did the scammers get your home address?

Trezor, along with its primary competitor Ledger, have suffered data breaches in recent years. Ledger's 2020 breach alone exposed over 270,000 customer addresses. That leaked data is still circulating, and scammers are now weaponizing it through physical mail, a channel most people don't associate with phishing.

This is the same playbook as the Amazon brushing scam:

create urgency, build false trust, and use a QR code to bridge the physical world and a phishing site. The target just changed.

As always, stay on guard.

Source: BleepingComputer