Paper Phishing Mailings to Potential Bitcoin Users to Steal their Bitcoin

Like with email, don’t necessarily trust any physical mailings. I think Ledger (third party contractor), Trezor (third party contractor) and Coinbase all had data breeches. The Coinbase one is funny, as I still get occasional phone calls to a California Google Voice number I still have, and they’re using AI voices and trying to scare you with claims someone in Mexico is trying to login to your account… I only used a Coinbase account for short time to test over a decade ago, and their fees were too high and then started messaging to upload ID for KYC, so a trash company I wouldn’t use with my account locked since I didn’t do their KYC dance. Coinbase is also in bed with the TradFi megacorps and undermining crypto users… Anyway, this was actually a nice blog post from Coinkite about people reporting letters from them trying to steal their Bitcoin. And kudos for their deleting customer’s data after a set time.

https://blog.coinkite.com/paper-spam/

Paper spam attempts

  • Published Jun 24, 2026
Paper spam attempts

Remember letterhead? Now it’s the Newest Affinity Scam!

About Recent Physical Letters

We have received concerns from a few of our customers regarding a letter apparently from “Coinkite” asking them to upgrade their firmware for “Post QUanTUM” reasons.

This is a scam to steal your coins!

Coinkite would never send you a paper letter!

  • We delete all customer data, especially physical addresses, after 120 days.
  • Coinkite does not use CRM tools or any external third party tools.
  • Letters with branding of our wallet competitors have also been reported.
  • Our support tickets (and emails) also get deleted on a schedule.
  • We saw this in 2025, but this is a new round of letters in our brand style as well as our competitors.

We are actively investigating the situation. So far it seems most of the data is aggregated from multiple sources of leaks from other crypto providers and data filled-in from other data leaks over the years. Looks like someone is funding a spray-and-pray campaign over snail mail! We are so used to email spam it feels weird.

We recommend contacting support with more information so we can keep investigating. It’s very possible the customs and duties department of a country had a data leak. If it’s a large country, then that would expose all of our customers in that country. Recently we put together this rather long list of individual crypto company data breaches.

What Can I Do?

If you use Bitcoin to pay and shipped to a PO Box with an alias, then you have nothing to worry about! Most governments do not make that easy, and anon PO Box access is certainly not universal.

If you used a credit card, Stripe is the payment processor. They have not reported any breaches and we trust them (and the US laws they operate under) to report any they do have.

If you shipped DHL/Fedex, they will necessarily have your address, but we don’t know of any reports of breaches from them. We do not know what internal controls these carriers have, but we do know they have thousands of customer support representatives with access to address data.

The reality is we’re probably not the only company that knows you’re a Bitcoiner. Most people have bought Bitcoin-related products or services from other vendors over the years and shipped them to a home address, and any of those vendors and their third-parties are a possible source.

If you are certain that only Coinkite had a specific address and you receive this paper letter, please report it to support. We are hoping these letters are geographically targeted/limited, and that if we get enough reports, we can track which country or carrier leaked data.

What Are We Doing About It?

  • Remember to expect a “Your Data has been Blanked” email from Coinkite a few months after you interact with the store. If you have unclaimed giftcards, vouchers, or have an reseller relationship with us, then this does not happen. We may sometimes send a double email from time to time.
  • You can request accelerated data blanking anytime after your package arrives. Just email support and they can blank your profile and even remove your email.
  • We would like to shorten our data retention period, but credit card fraud makes that difficult.
  • All emails from our systems continue to be PGP signed.
  • We have audited our servers and found no reason to suspect any data breach.
  • If we identify a pattern in the reports, we will announce it.
  • We are adding another note to our disclaimer that is included in our transactional emails:
example email footer text