Scam mails target Ledger users with quantum-resistance QR links

Scammers have mailed professionally printed letters to owners of Ledger hardware wallets that claim a “Quantum Resistance Security Update” and include QR codes that link to phishing sites designed to capture 24‑word recovery phrases. The notices reference correct Ledger model numbers and apparent order information.

Reports of the mailed campaign appeared in late April 2026 and spread on social media in early May. A user photo posted on May 6 shows one of the letters. Security researchers and several recipients say the mailing list appears to have been compiled from customer data exposed in Ledger’s 2020 breach, when names, addresses and phone numbers for thousands of customers were leaked.

The phishing pages reached via the QR codes prompt users to enter their 24‑word recovery phrases. Ledger is investigating the reports and reiterated that it will never request a recovery phrase from customers. The company posted: “Ledger will never call, DM, or ask for your 24‑word recovery phrase.” Ledger also noted that firmware updates and genuine security notices are distributed only through its official channels and that the company cannot deliver firmware updates by postal mail.

The letters exploit discussion about future quantum threats to cryptography. Ledger’s chief technology officer, Charles Guillemet, has urged preparation for quantum-capable machines that could one day break elliptic curve cryptography, the system blockchains use to create public and private key pairs. When a public key is revealed-such as when an address is reused or funds are spent-a sufficiently powerful quantum computer could use Shor’s algorithm to derive the corresponding private key.

A study by quantum security firm Project Eleven projects a nontrivial chance that a “cryptographically relevant quantum computer” could appear by 2033 and possibly as early as 2030. The study estimates about 6.9 million bitcoin are stored in addresses with exposed public keys and that more than 65% of Ethereum tokens sit in similarly exposed addresses. Security researchers describe a “harvest now, decrypt later” threat, where attackers collect public keys and other data now and wait for quantum hardware capable of deriving private keys.

Work published in March 2026 from researchers at Google lowered estimates of the quantum resources needed to attack elliptic curve cryptography, suggesting a system with roughly 1,200 logical qubits could perform such an attack on superconducting hardware in under 90 minutes.

Ledger said it is working with the blockchain community on quantum‑resistant solutions and is monitoring cryptographic research. Security experts advise users not to scan unsolicited QR codes, never to enter seed phrases on websites, and to follow Ledger’s official channels for firmware and security information. Recipients and researchers say the mailings relied on past customer data and used social engineering tied to quantum security concerns.