When Scammers Go Physical: A Ledger User Receives a Handwritten Phishing Letter

Handwritten Scam Letter Arrives

A Ledger user in Italy recently received the first physical phishing letter they had ever seen. The envelope bears the Ledger logo and contains a QR code that redirects to a phishing website.

Ledger’s Two Data Breaches

First breach – July 2020: about 270,000 customers had their name, address, phone number and email exposed.

Second breach – December 2020: another 27,000 users were affected, this time mainly their email and mailing addresses.

Despite Ledger’s public promise to protect user data, the leaked information remains on the black market five years later, enabling scammers to launch “postal phishing” attacks.

Scammer’s ROI Calculation

Security researchers examined the phishing site and found the domain ends with .gl. The scammers continuously iterate the site, indicating a coordinated effort rather than a lone actor.

Printing cost: a few dollars

Postage: a few dollars

Labor: a few dollars

Total cost: roughly ten to twenty dollars

As soon as a victim scans the QR code and makes a payment, the scammers break even, showing a clear cost‑effective model.

Security Team’s Takeaway

First, the “shelf life” of leaked data is much longer than expected; data from 2020 is still being weaponized in 2025, raising doubts about the effectiveness of post‑breach remediation.

Second, scammers are upgrading the “user experience”. Physical letters bypass the fatigue users have with email spam, making recipients more likely to trust the content and fall for the scam.