Bitcoin Forum

I just stumbled upon a tweet yesterday by Mike Belshe, the CEO of BitGo. It seems he's a victim of a phishing attempt that's probably still related to the Ledger data breach that happened 5 years ago.

It's a bit amusing because this time around, the modus went a bit old-school. It was done via a letter through the US Post Office.

https://www.talkimg.com/images/2025/05/26/UaqGob.jpeg
https://x.com/mikebelshe/status/1925953356519842245

I wonder what form phishing attempts take next. What's certain is that scammers trying to make the most out of the stolen data aren't done yet. Apart from the million email addresses that were compromised, there were also hundreds of thousands of names and postal addresses that were stolen. One of them might be yours. Be warned!

This was discussed on this forum when it happened some weeks ago. The scammers sent letters to Ledger customers to scam a QR code which will take them to a site where they will enter their seed phrase. And the coins of anyone that enter their seed phrase will be stolen.

Fake Ledger physicial upgrade scam (https://bitcointalk.org/index.php?topic=5539991.msg65329825#msg65329825)

I don't think this is related to the data leak of ledger years ago.

The CEO of bitgo is a public figure. The attacker  could easily get his personal information from other places

Scammers are really getting more and more creative. Also, scam like this requires some investment too as they probably send thousands of such letters, in hope that one or two are curious/naive enough to fall for something like that in order to profit from their scheme.

I don't expect that Bitgo CEO will fall for this, but I can see newbies getting rekt.

You never know with Ledger, there are so many potential failures related to them that any given leak case is suspect. It is certainly not a coincidence that such phishing scams happen under their name

As a potential risky event, I would not rule out the possibility that the kidnappers got something more than money here
On 21 January 2025, David Balland, co-founder of Ledger, and his wife are kidnapped from their home by an armed commando.  (https://www.saper-vedere.eu/en/studies/kidnapping-of-ledger-co-founder-what-about-the-personal-data-of-wealthy-executives/)

we don't know for sure, but he probably mentioned in an old tweet that he uses Ledger, that's likely why they went for a targeted attack at Ledger instead of Trezor or another hardware wallet.

but they are also making it easy to get caught, they are leaving a paper trail sending all that mail.
if the police get a report and actually look into it, i would imagine whoever is sending those could get arrested pretty quickly.
their fingerprints are probably all over those letters.

How exactly do people send letters in the US? A quick search gives me the impression that someone can drop a letter "anonymously" and the post office will send the letter to the recipient's address just fine. Using a glove or something would hide the fingerprint, too, although I'm not sure if a smart scammer would go this route instead of spamming spam emails to thousands of email addresses.

Thanks for the link.

I'm surprised the letters aren't exactly identical. The QR codes indicated in the letters are also different. The letter received by Mike indicated authorize-ledger.com as the site to do the manual validation if the QR code doesn't work, but the one received by Jacob indicated ledger-compliance.com.

I wonder if there's only one group working behind all this. It's possible there are more than one. If there's only one group, they could have just changed the site and kept the rest of the letter. It's possible various scam groups bought different amounts of information from those who stole them, say, one group could only afford 100,000 physical addresses, another 200,000 telephone numbers and 300,000 email addresses. 

It ain't that hard to use fake names when sending all that mail, and also use gloves not to leave fingerprint.

Considering that this is more elaborate scam, I don't think that scammers behind it are total newbs.

Looks like a very smart scam attempt because authorize-ledger.com looks very valid domain for an average customer but it was stupid to send such an email to the CEO of the crypto related company because there is a low to zero chance they'll get scammed this way but it will reveal the scam to the public.

Does the CEO of BitGo use Ledger hardware wallet? Did they deliver it to house address or did they deliver it to his company's headquarter's address? He is a public figure but usually people like him hide personal information, like, their house address.

The sender probably doesn't use identity documentation to send the latter via postal service, so they use fake names and fake return addresses to not get caught. Plus, as it was said, they use gloves to not leave fingerprints.

I also thought the same thing, but i believe that what this scammer or scam group has is a bunch of physical addresses and not email addresses, so they have to craft their scam to land at the doorstep of their target. If they had email addresses, i don't think they would go through this route of sending letters to people, i believe it is harder for people to fall for physical letters than a phishing email.

I also tend to agree with opinion above that this is probably not related with that data leak. It's probably not very hard to find address of public person, especially if lettee was sent to his office. I think scammers targetted only him. It would a bit too expensive to send physical letters to huge number of people who got address leaked.

Not sure about USA, but here in my country it's easy to send letters anonymously. You don't have to go to post office. There is postal boxes around the city where you can drop letters. Something like this:
https://www.shutterstock.com/image-photo/kettering-ohio-usa-april-24-600w-2292962387.jpg

even if they don't leave fingerprints, use fake names, and pay with cash, and so on... all it takes is one slip up and they are done for.
driving a car registered in their name to the post office and the license plat get caught on camera, using personal phone while logged into thier google account, etc...

i imagine it would go something like this: they scam some clueless guy who had millions in his Ledger, he reports it to the FBI, and since it's in the US, it's a lot easier for the FBI to investigate, they follow where the funds go and where the phishing mail originated from, they find a mistake the scammers did, they arrest them. case closed.

the scammers could also be based outside the US and are using mules to do their deeds.

Someone who's not fond of these scam attempts will seriously believe it's a real thing. However, looking at the website provided by the letter, Ledger has always reminded people that they shouldn't give any details of their seed phrases to anyone else. While this is a clever scam, those who haven't encountered anything of the same are likely to fall for it. And by validating it, should require them to enter their seed phrases.

"But it's Ledger itself that's asking for it," some gullible users might say. You can't underestimate the gullibility of people. Have you read of the unbelievable incident involving a person who shared his backup phrase for engraving?

Anyway, with the spread of this kind of phishing attempt, perhaps it's wise for Ledger to also include in their warnings that they would never send physical mails to their users' addresses for verification or any other purpose. This should also be indicated in their website, device packaging, and official social media channels.

I became a victim of similar scam when I was a kid. I wanted to hack facebook account and there was a website like hack-facebook.com, it was like this and I thought it was the official facebook hack, then typed my login credentials and submitted. Consider that I was 11-12 years old kid and it was one of my first interaction with computer. When I look at elder people, like above 40, I see how unfamiliar they are with technology and how they believe everything they see on internet, so such people will easily fall into this scam, especially when the domain looks so original and legit.

Btw the strangest scam that I've ever seen was how a phishing website managed to get ranked above the official website in Google search engine and scammed thousands of customers of a crypto website.

How can you send mail via fake names? In my country, you need to provide an ID at the postal office to send a parcel and you also need to provide your ID when you receive a parcel from the postal office.

I believe they are more phishing attacks on ledger because they are the company which sells out the most hardware wallets, because their product is simple amazing.

I own a ledger wallet since 2017 and I have nothing to complain... I just changed the led screen for less than 10 usd and it is new again.

Even big companies like bybit use ledger devices, because they are very good, probably the best (and the hacker didnt attack ledger, but a third party wallet that connected to it)

Personally, if I had to buy a new one, I would buy a trezor because of features such as sending seed online(which you are not forced to use). But I will stick to my ledger while I can

No one should expect to get a letter from Ledger in their mail box and anyone who does and falls for the scam may not be helped even with a warning. The scammers can also just invent a new way to reach out to potential victims.

Shouldn't there be a limitation on what information is required from users? If postal addresses are not needed, they should not be provided. Same with other personal information, to reduce the levels of exposure in cases of data breaches.

It's bad that these victims would put the blame to Ledger and not themselves. We can't also blame them for their mistakes but only themselves could do that realizing how gullible they were to become a victim of such scams.

I agree, the campaign that they do in making people remember to not share their seed phrases should be done repetitively in all channels that they have. I think that they do this on their subreddit. But it should also be done mostly on their social media accounts since people won't visit a lot the website and subreddit.

At least they're sufficiently warned. If they still fall victim to scams the company is constantly warning them about, it's not anymore the company's fault. Warnings can only do so much. They can't compensate for the level of gullibility, carelessness, forgetfulness, and whatnot of certain users. As a matter of fact, some users are still sharing their seed phrase with others despite repeated warnings never to. But a complete absence of proper warnings could make the company partly liable.

New scams should mean new warnings.


There should, of course. But these were e-commerce data, probably shipping details. Such data had to be requested from customers for accurate delivery of their devices. However, I think these information should be completely removed from their end right after confirmation that the package is received by the buyer.

There is no harm from warnings, so there's no downside from it. Those who will fall victims will regardless of the warnings they receive, but someone who receives this type of mail and checks if it's legitimate will see a memo from the company saying they will never send physical mails and they'll be convinced it's a scam.

Data unfortunately is a big deal and many companies try to save up as much of it as they can.