Fake hardware-wallet firmware-update lure — impersonates Ledger (Nano S/X, Stax, Flex, Live) / Trezor (Suite, One, Model T, Safe 3) / BitBox / Coldcard / KeepKey / NGRAVE / SafePal / Ellipal with "urgent / mandatory firmware update required, install within 24 hours or device will be locked" + link to typosquat "Ledger Live" / "Trezor Suite" installer that exfiltrates seed phrase on fake device reconnection. Catastrophic loss: every wallet derived from the compromised seed drains within minutes. Ledger 2020 customer email breach (1M+ emails) continues to feed targeted campaigns through 2026. Distinct from seed-phrase-verify-phish (direct email reply harvest). Evidence: Ledger Connect Kit supply-chain attack Dec 2023 ($600K stolen); Trezor "address poisoning protection firmware" phishing wave Jan 2024; ongoing Ledger Recover / mandatory-patch impersonation 2024-2026

Hardware-wallet firmware-update phishing. Attackers impersonate Ledger, Trezor, BitBox, Coldcard, KeepKey, NGRAVE, SafePal, or Ellipal with an urgent firmware-update narrative — "critical security vulnerability, update firmware within 24 hours or your Ledger Nano X will be locked," "Trezor Suite mandatory security patch 24.4.0 — connect your device now," "your hardware wallet will be disabled unless you install the latest firmware." The link leads to a typosquat host (ledger-firmware-v2.example, trezor-suite-patch.example, ledger-wallet-updater.example) serving a malicious "Ledger Live" or "Trezor Suite" installer. Once installed, the fake client exfiltrates the seed phrase during "device reconnection" — the attacker then drains every wallet derived from that seed within minutes. This is the catastrophic-loss class of crypto phishing because hardware-wallet seed phrases are the master key: password rotation and 2FA do not help, and on-chain transactions are irreversible once executed. The 2020 Ledger data breach leaked 1M+ customer email addresses (names, physical addresses, phone numbers too) and continues to feed targeted phishing campaigns through 2026 — every year new variants of "mandatory Ledger firmware patch" hit that breach-list. Legitimate Ledger and Trezor firmware-update cadences are frequent enough to normalize the traffic pattern: Ledger Live updates ship roughly monthly, Trezor Suite ships quarterly, and major firmware events (Ledger Stax 2024, Trezor Safe 3 late 2023) have generated waves of legitimate "update available" emails. That legitimate volume is exactly why impersonation works — recipients don't bat an eye at another "firmware update" email. Distinct from `seed-phrase-verify-phish` (direct seed-phrase harvest via email reply), from `crypto-exchange-alert-lure` (iter 943, exchange credentials), and from generic crypto-phishing (this signal specifically requires a hardware-wallet brand + firmware-update vocabulary). Real precedents: Ledger Connect Kit supply-chain attack in December 2023 ($600K stolen from dapps that integrated the compromised JS library); Trezor phishing wave in January 2024 impersonating "address-poisoning protection firmware update"; ongoing Ledger "Ledger Recover" / "mandatory-patch" impersonation through 2024-2026; every Ledger customer email-breach derivative continues to see reuse years later. Legitimate hardware-wallet communications come exclusively from the vendor's own domain: `ledger.com`, `ledger.fr`, `trezor.io`, `satoshilabs.com` (Trezor parent), `bitbox.swiss`, `shiftcrypto.ch`, `coldcard.com`, `coinkite.com`, `keepkey.com`, `ngrave.io`, `safepal.io`, `ellipal.com`. Any hardware-wallet "urgent firmware update" email whose download / installer link is hosted elsewhere is, by construction, a phish. Defense: always open Ledger Live or Trezor Suite directly from your bookmarked URL (or the Desktop application), never from an email link. Hardware-wallet vendors never send urgent "install within 24 hours" deadlines — real security updates ship through the app itself and never ask you to reconnect a hardware device via a web-downloaded installer. If you ever enter or confirm a seed phrase anywhere OTHER than the real hardware device (not on screen, not via an installer prompt), assume compromise and move funds to a new wallet generated on a freshly-initialized device.