When Hackers Go Old School: Physical Mail Attacks Hit Crypto Users

You know we’re living in strange times when threat actors are ditching sophisticated digital attacks for good old-fashioned snail mail. But that’s exactly what’s happening right now, and honestly, it’s pretty clever from an adversarial perspective.

The Return of Physical Social Engineering

Cybercriminals have started sending physical letters to cryptocurrency hardware wallet users, specifically targeting people who own Trezor and Ledger devices. These aren’t your typical phishing emails that we’re all trained to spot – they’re actual paper letters showing up in mailboxes, designed to look like official communications from these wallet manufacturers.

The goal? Getting victims to hand over their recovery phrases, which is essentially the keys to their entire crypto kingdom. Once attackers have those seed phrases, game over.

What makes this particularly insidious is how it exploits our security awareness training. We’ve all gotten pretty good at spotting suspicious emails, but how many of us scrutinize physical mail with the same level of paranoia? The attackers are banking on that psychological blind spot, and I suspect it’s working better than they hoped.

This also tells us something important about the threat landscape – when digital defenses get stronger, attackers adapt by finding new vectors. Physical mail feels legitimate in a way that emails often don’t, especially to less tech-savvy crypto investors who might not fully understand how recovery phrases work.

The Vulnerability Avalanche Continues

Speaking of things that make our jobs harder, FIRST is forecasting that we’ll see over 50,000 new CVEs disclosed in 2026. That’s not a typo – fifty thousand vulnerabilities in a single year.

I’ve been doing this long enough to remember when breaking 10,000 CVEs felt overwhelming. Now we’re looking at potentially 5x that number. This isn’t just about more software being written – though that’s certainly part of it. We’re also seeing better tooling for vulnerability discovery, more researchers getting into the field, and frankly, more complex software with larger attack surfaces.

The real challenge isn’t just the volume, though. It’s prioritization. When you’re drowning in vulnerability data, how do you focus on what actually matters? This is where threat intelligence and understanding your specific environment becomes absolutely critical. Not every CVE is going to be relevant to your infrastructure, but figuring out which ones are? That’s the skill that separates good security teams from overwhelmed ones.

Ivanti Under Fire (Again)

The Ivanti situation is a perfect example of how attackers are getting more organized and efficient. Researchers found that 83% of exploitation attempts against the EPMM vulnerability came from a single IP address hosted on bulletproof infrastructure.

This concentration suggests we’re not dealing with opportunistic script kiddies here. This looks like coordinated activity, possibly from a single threat actor or group that’s systematically working through vulnerable targets. The use of bulletproof hosting tells us they’re thinking about operational security and planning for the long haul.

What’s particularly concerning is how quickly they moved. GreyNoise recorded over 400 exploitation sessions in just nine days. That’s the kind of rapid response time that makes vulnerability disclosure timing so tricky – do you give organizations more time to patch, knowing attackers are already mobilizing?

Keeping Up with Browser Security

On a more positive note, Google continues to stay on top of Chrome security with their latest update patching 11 vulnerabilities, including three high-severity issues. Chrome 145 addresses several significant security flaws, with Google’s own security team finding two of the high-severity bugs.

This is actually encouraging – it shows that internal security research is paying dividends. When vendors are finding and fixing their own critical bugs before external researchers or attackers do, that’s the kind of proactive security posture we want to see more of.

Browser security matters more than ever, especially with the rise of web-based applications and services. Every Chrome vulnerability potentially affects billions of users, so Google’s continued investment in finding and fixing these issues before they become problems is something we should all appreciate.

The Bottom Line

The crypto mail attacks remind us that security is about more than just technical controls – it’s about understanding human psychology and attack vectors that exist outside our digital perimeters. Meanwhile, the sheer volume of vulnerabilities we’re facing means we need to get smarter about risk assessment and prioritization.

The good news is that we’re seeing some organizations, like Google, really stepping up their security game. The challenge is scaling that kind of proactive approach across the industry while dealing with an ever-expanding attack surface.

Stay paranoid out there – whether it’s your inbox or your actual mailbox.

Sources

• Snail mail letters target Trezor and Ledger users in crypto-theft attacks
• Chrome 145 Patches 11 Vulnerabilities
• 83% of Ivanti EPMM Exploits Linked to Single IP on Bulletproof Hosting Infrastructure
• FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026