If a professionally printed letter has arrived via physical mail claiming to be from Ledger — warning that your hardware wallet needs an urgent "Quantum Resistance Security Update" — stop. Do not scan the QR code, and do not enter your 24-word recovery phrase anywhere. It is a scam, and Ledger has confirmed it on its official support site.
Since late April 2026, Ledger hardware-wallet owners have reported receiving fake letters through the post — not email, actual physical mail — designed to trick them into handing over the secret recovery phrase that controls their crypto. Public complaints picked up through early May. Here is exactly what the scam looks like, why the letters know your name and address, and what to do if one lands on your doormat.
Quick check — is the letter real? A genuine Ledger communication will never:- ask for your 24-word recovery phrase (by any method);- tell you to install an "update" via a QR code or link in a letter;- send security or firmware updates by physical mail;- impose a deadline threatening to disable your wallet. >If the letter does any of these, it is a scam — full stop.
What the scam letter looks like
The reported letters are convincing. Across documented cases they share these traits:
- Ledger branding and a corporate return address in Paris.
- A reference number, plus your correct device model and order history — details that make it feel personalised and legitimate.
- A QR code and a deadline, warning that your wallet will stop working if you do not "update" in time.
- In some cases, a signature impersonating Ledger's chief technology officer, Charles Guillemet.
- Localised versions (an Italian-language variant has been documented), suggesting a coordinated, international campaign.
The QR code leads to a phishing website that asks you to enter your 24-word recovery phrase to "verify" or "upgrade" your device. Anyone who types it in hands the attacker complete control of their funds — and crypto sent out of a compromised wallet is effectively impossible to recover.
Why the letter knows your name and address
This is the unsettling part, and the reason the scam feels credible: the senders already have your real-world details. The most likely source is the 2020 Ledger data breach, in which the names, physical addresses and phone numbers of roughly 270,000 customers were exposed. That stolen dataset has circulated for years and lines up exactly with what these letters contain.
(One report has speculated about a separate January 2026 breach at Global-e, a Ledger e-commerce partner, but that link is unconfirmed. The 2020 breach alone is enough to explain the mailings.)
The key point: someone having your address does not put your crypto at risk. Your funds are only exposed if you reveal your recovery phrase. The letter is a social-engineering attempt to make you do exactly that.
The one rule that defeats this entire scam
Your 24-word recovery phrase should never be entered into any website, QR code, app, phone call, email, or letter — under any circumstances, ever. There is no legitimate "update," "verification," or "migration" that requires it.
Ledger's official support page is explicit. It warns: "Ledger will never send you a physical letter or unsolicited message asking you to install a 'Quantum Resistant Security Update' or any other software… If you received a letter or email directing you to install a security update or enter your Secret Recovery Phrase, it is a scam." A genuine firmware update is installed through Ledger Wallet (the app formerly called Ledger Live) and never asks for your recovery phrase — and Ledger does not push updates by post.
Wait — is "Quantum Resistant Ledger" a real thing?
Confusingly, yes — and that is exactly why the scam is convincing. QRL (Quantum Resistant Ledger) is a legitimate third-party cryptocurrency, with an app you can install on a Ledger device through Ledger Wallet. The scammers borrow that real, technical-sounding name to make a fake "security update" sound official. But the genuine QRL app has nothing to do with installing anything from a letter, and Ledger's own support page draws this exact distinction. Quantum computing is a real long-term research topic for the whole industry — but there is no emergency quantum update you must install today, and certainly none delivered by mail.
Did you receive one of these letters? What to check now
- Do not scan the QR code and do not act on the "deadline" — the urgency is manufactured to rush you.
- Verify through official channels only. Open the Ledger Wallet app, or type
support.ledger.cominto your browser yourself — never follow a link or code from the letter. - Treat the personalised details as expected, not proof. Your model and address coming from a years-old breach does not mean the letter is real.
- Report it to Ledger and, if you are in the US, to the FTC or your state regulator; in the UK, to Action Fraud.
What to do if you already entered your recovery phrase
Assume the wallet is compromised and act immediately — speed matters:
- Move your funds now to a brand-new wallet generated from a fresh recovery phrase (a new or freshly reset device), from a clean computer or phone.
- Never reuse the exposed 24 words for anything again.
- If you act before the attacker does, you can save your funds — but treat every minute as critical.
Bottom line
Physical-mail phishing is a new delivery method for an old trick: get you to reveal your seed phrase. The defence has not changed. Keep your 24 words offline and private, verify anything urgent through Ledger's own app or website, and if you ever entered your phrase somewhere, move your funds to a fresh wallet right away. If you're reviewing your overall setup, our guide to the best crypto wallets covers choosing and securing a hardware wallet.
Sources
- Ledger — "Quantum Resistant Ledger (QRL)" official support page, with scam warning (last updated 13 May 2026)
- Ledger — how to stay safe from phishing attacks
- Ledger — phishing campaigns status
This briefing reflects Ledger's official advisory (last updated 13 May 2026) and public reports through early May 2026.
Frequently asked questions
Is the Ledger 'Quantum Resistance' letter real?
No. Ledger has confirmed on its official support site that these physical letters are a scam. Ledger never asks for your 24-word recovery phrase and does not deliver firmware or security updates by mail.
Is 'Quantum Resistant Ledger' (QRL) a real thing?
Yes, confusingly. QRL is a legitimate third-party cryptocurrency with an app you can install on a Ledger via Ledger Wallet. The scammers exploit that real name — but it has nothing to do with installing a 'security update' from a letter.
How did the scammers get my home address?
Most likely from the 2020 Ledger data breach, which exposed the names, addresses and phone numbers of about 270,000 customers. Having your address does not put your crypto at risk unless you reveal your recovery phrase.
I scanned the QR code and entered my recovery phrase — what now?
Assume your wallet is compromised. Immediately move your funds to a new wallet created from a fresh recovery phrase, from a clean device, and never reuse the exposed 24 words.