The U.S. District Court for the District of Connecticut issued a ruling on March 31, ordering the forfeiture of more than $600,000 in USDT (Tether). The funds came from a physical letter phishing scam targeting Ledger hardware wallet users: the victim, “TM,” received a letter disguised as coming from the “Ledger Security and Compliance Department” in September 2025. After following the instructions, the victim’s recovery seed phrase was exposed, and the scammers immediately emptied the wallet.
Phishing Letter Scam Mechanism: How One Letter Empties a Hardware Wallet
The case demonstrates “physical mail phishing”—an attack method that is harder to spot than digital phishing. The attackers used the names and home addresses obtained from the 2020 Ledger customer database breach to send highly professional-looking letters to targeted users, typically requiring: entering a 24-word recovery seed phrase into a forged official website, or accessing a malicious page via a QR code included in the letter.
After the victim “TM” followed the letter’s instructions, the scammers gained full control of the wallet by obtaining the recovery seed phrase and withdrew all assets. Ledger has long and clearly stated that the company will never proactively send any letter requesting a recovery seed phrase or conducting security verification—any such requests, no matter how professional the appearance, are scams.
Federal Investigation Follow-Up Path: Blockchain Transparency Ends the Money-Laundering Attempt
After stealing the funds, the scammers used multiple obfuscation methods to try to cut off the tracking path:
Multi-layer intermediary wallet transfers: The funds were repeatedly moved back and forth among multiple addresses, attempting to obscure the source of the funds
Exchange to USDT stablecoin: The stolen assets were converted into USDT. Because stablecoins have high liquidity, they are considered favorable for later exits
Designed complex money-laundering routes: The entire route was intended to make it difficult for law enforcement to trace the ultimate holding address back from the stolen source
However, all transactions on the blockchain are public and immutable records. Investigators used blockchain analysis tools to fully track the complete flow of the funds and confirmed that the assets involved exceeded $600,000. The prosecution filed a civil forfeiture action with case number 3:26-cv-28 in the U.S. District Court for the District of Connecticut, alleging that this batch of USDT was derived from wire fraud and involved illegal money-laundering conduct.
Tether’s Key Cooperation and the Legal Significance of Civil Forfeiture
The core technical breakthrough in this case lies in Tether’s active cooperation. After law enforcement confirmed the location of the funds, Tether proactively froze the USDT in the related addresses, and then transferred these tokens to a government-controlled wallet. This played a decisive role in completing the return of the assets.
The legal significance of the civil forfeiture process is that it does not require identifying, arresting, or prosecuting a criminal suspect. Given that the suspect in this case is believed to be overseas and that traditional criminal procedures are nearly impossible to carry out, civil forfeiture still enabled the victims to successfully recover their losses. U.S. Assistant U.S. Attorney David X. Sullivan explicitly stated, “Criminals should not expect to be able to continue holding stolen goods.” The recovered USDT will be formally returned to the victim “TM” through the Department of Justice’s asset management process.
Frequently Asked Questions
How can you identify a phishing email disguised as Ledger?
Ledger never proactively sends any communications asking for a recovery seed phrase or for security verification. Any communication requesting a 24-word recovery phrase, no matter how professional it looks, and whether it is already known that your name and address are being used, is a scam. All of Ledger’s security notifications are sent through official apps or verified email channels and do not use physical mail.
How does blockchain analysis help track stolen USDT?
All transaction records on the blockchain are public and immutable. Law enforcement can use professional on-chain analysis tools to trace the complete path from the stolen wallet to the final holding address. Even if the funds pass through multiple intermediary wallets and are exchanged among different coins, as long as the final holding address is confirmed, it can provide sufficient legal grounds for a civil forfeiture lawsuit.
How does civil forfeiture work in crypto fraud cases when the suspect is located overseas?
Civil forfeiture targets the assets involved directly, not a specific criminal suspect. Therefore, there is no need for arrest or extradition proceedings. This allows law enforcement, even when the suspect is in a jurisdiction where extradition is impossible, to legally freeze and recover the victims’ losses through cooperation from stablecoin issuers such as Tether. It is one of the most effective legal tools in cross-border crypto fraud cases.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
