Hardware-wallet seed-phrase / recovery-phrase reveal phish — "Enter your 24-word seed phrase to verify your Ledger / Trezor / Tangem wallet" via lookalike domain harvests the master key for every coin held by the device. Categorically illegitimate phrase set: NO canonical wallet vendor (Ledger, Trezor, Tangem, GridPlus, Keystone, BitBox, Coldcard, Foundation, Cypherock) ever asks the user to enter / verify / validate / restore / migrate / reveal a seed phrase via email — the entire hardware-wallet trust model depends on the seed never leaving the device. New SACRED-tier near-absolute-trash class (parallel to "never delete starred" but inverse polarity — "always trash seed-phrase reveal"). Distinct from `fake-hardware-wallet-firmware-update-lure` (firmware-update pretext, not direct seed-phrase harvest). Multi-locale: matches Swedish "ange din återställningsfras" / "bekräfta din återställningsfras" alongside English. Source: Red-Team R9 multi-agent council S4 (hardware-wallet-firmware specialist), Lead consensus C2.

Hardware-wallet seed-phrase / recovery-phrase reveal phish targeting hardware-wallet owners (Ledger, Trezor, Tangem, GridPlus, Keystone, BitBox, Coldcard, Foundation, Cypherock). The phish narrative arrives as: "Your Ledger Nano X requires re-validation. Please enter your 24-word recovery phrase below to verify ownership and migrate your wallet to the new firmware. Without verification your device will be locked," or "To restore access to your Trezor wallet please validate your 12-word secret recovery phrase via the BIP39 verification form below." Categorically illegitimate phrase set: NO canonical wallet vendor ever asks the user to enter / verify / validate / restore / migrate / reveal a seed phrase via email — the entire hardware-wallet trust model depends on the seed never leaving the device, and every legitimate vendor ships the device with a printed warning to that effect. New SACRED-tier near-absolute-trash class (parallel to "never delete starred" but inverse polarity — "always trash seed-phrase reveal"). Distinct from `fake-hardware-wallet-firmware-update-lure` (firmware-update pretext, not direct seed-phrase harvest); these two signals can co-fire on a single email that combines both pretexts. Multi-locale: matches Swedish "ange din återställningsfras" / "bekräfta din återställningsfras" alongside English "enter / verify / validate / restore / migrate / confirm / submit / reveal / provide / input" + "seed phrase / recovery phrase / 24-word / 12-word / secret recovery phrase / SRP / BIP39." Wallet-context co-predicate (Ledger / Trezor / Tangem / GridPlus / Keystone / BitBox / Coldcard / Cypherock / hardware wallet / wallet / krypto / crypto) prevents firing on generic password-recovery flows. Sender allowlist is intentionally narrow — even canonical Ledger / Trezor newsletters never use the ENTER / REVEAL / VALIDATE prompt vocabulary, so the only practical bypass for canonical senders is to keep the language educational ("Ledger will never ask you to reveal it"). Auto-classified as danger via the `-phish` suffix. Source: Red-Team R9 multi-agent council S4 (hardware-wallet-firmware specialist), Lead consensus C2.