Fake Ledger 'Device Compromised' Mailer Scams
Scammers send physical mailers and emails to known Ledger customers claiming their device has been compromised, directing them to a fake 'Ledger Live' download that steals their seed phrase. Ledger will never mail you asking to validate your device.
Part of: Fake Hardware Wallet Scams
Last reviewed: 7 June 2026
In 2020, a significant data breach exposed the personal details of hundreds of thousands of Ledger customers, including their postal addresses. Criminals used this data to launch targeted physical mail campaigns. Recipients receive a letter in official-looking Ledger branding, warning that their hardware wallet has been compromised and that they must install a 'Ledger Live Security Update' from an enclosed URL or QR code.
This scam is especially dangerous because it arrives by post — a channel that consumers tend to trust more than email — and it targets people already known to own a Ledger device and therefore likely to hold significant crypto assets. The letter may include accurate personal details from the breach, such as the recipient's name and address, which add false credibility.
Ledger communicates with customers through ledger.com and through the Ledger Live application itself. Ledger does not send postal letters asking users to validate their device or download software. Any such letter should be treated as a social engineering attack.
How this scam works on the Ledger brand
The physical mailer typically includes a convincing Ledger logo, an urgent message about a 'security vulnerability discovered in your Ledger Nano,' and instructions to download a 'patched version' of Ledger Live from a URL such as ledger-live-update[.]com. The download is actually malware or a fake wallet interface that, during the 'restore' step, captures the victim's 24-word recovery phrase and sends it to the attacker.
A parallel email-based version targets the same leaked customer list. The email mimics Ledger's visual design, carries a spoofed @ledger.com sender address, and directs victims to click 'Install Security Patch' — leading to the same malware download or phishing page.
Ledger Live, the official software, is available exclusively at ledger.com/ledger-live. Updates are delivered only through the app itself or via ledger.com, never through a separate link in an unsolicited letter or email. Ledger will never ask users to enter their 24-word recovery phrase into Ledger Live for any security or update procedure — the phrase is used only to restore a wallet to a new physical device.
Common red flags
- A physical letter claiming your Ledger device has been compromised and directing you to download software
- An email from a domain that is not exactly ledger.com claiming to offer a Ledger Live security update
- Any request to enter your 24-word recovery phrase into Ledger Live or any website
- A QR code in a letter that links to anything other than ledger.com
- Urgency language such as 'your funds are at immediate risk unless you act within 48 hours'
- A 'new Ledger Live' download hosted on any domain except ledger.com
- A support interaction asking for your recovery phrase to 'verify device authenticity'
How to protect yourself
- Download Ledger Live only from ledger.com/ledger-live — bookmark this URL and never use any other source
- Never enter your 24-word recovery phrase into any software or website, including one that claims to be Ledger
- Treat any postal letter or email claiming your Ledger device is compromised as a scam and do not follow its instructions
- Verify the Ledger Live version in the app directly — the app notifies you of legitimate updates
- Contact Ledger's official support at support.ledger.com to verify any communication you are unsure about
- Use your Ledger device normally; a hardware wallet's security is not affected by any software 'vulnerability' that requires a seed phrase to fix
How to report it
- Report the scam to Ledger at support.ledger.com
- Forward phishing emails to [email protected]
- Report to IC3.gov (US), Action Fraud (UK), or your national cybercrime body
- Report the phishing domain to Google Safe Browsing
Frequently asked questions
Why does the scam letter have my real name and address?
Ledger suffered a customer data breach in 2020 that exposed names, addresses, and email addresses. Criminals purchased this data from dark-web markets to make the targeted letters seem credible. Having your name in the letter does not mean your device is actually compromised.
Is my Ledger hardware wallet actually vulnerable?
A Ledger hardware wallet that has never exposed its 24-word recovery phrase is not compromised by the data breach. The breach exposed customer contact information only. Your device remains secure as long as your recovery phrase has never left the physical card you wrote it on.
Does Ledger send any letters or emails about device security?
Ledger may send emails about genuine software updates or news, but these direct users only to ledger.com and never ask for recovery phrases. Ledger does not send unsolicited postal letters about device security or ask you to reinstall software.