Avoid photographing seed phrases
- Ledger and Trezor both tell users not to photograph or otherwise digitize wallet seed phrases, saying anyone who gets those words can rebuild the wallet and move funds. - Trezor says BIP-39 backups are ordered lists of 12 or 24 words from a 2,048-word list, while Ledger says recovery phrases should stay offline, on paper or steel. - The warning comes after malware campaigns and fake wallet apps targeted seed phrases and wallet backups stored on phones or entered into spoofed apps. (thehackernews.com)
A seed phrase is the master backup for a self-custody crypto wallet. If someone gets those words, they can recreate the wallet and drain the funds. (trezor.io) (ledger.com) That is why two of the biggest hardware-wallet makers, Ledger and Trezor, tell users not to store seed phrases as photos, screenshots, emails, cloud files, or password-manager entries. (ledger.com) (trezor.io) Ledger’s current support guidance, updated March 31, 2026, says: do not make a digital copy, do not take a picture, and do not save the phrase in a password manager. It says the phrase “needs to stay strictly offline.” (ledger.com) Trezor’s guidance says the same thing in broader terms: do not keep digital copies, including screenshots, photographs, emails, or Dropbox. It also says users should never enter the backup anywhere unless the Trezor device itself prompts for it. (trezor.io) The reason is simple: a seed phrase is not a password hint or a partial credential. It is the full recovery key for the wallet, written as ordinary words in a fixed order. (trezor.io) (github.com) Under the widely used Bitcoin Improvement Proposal 39 standard, a backup is typically 12 or 24 words chosen from a list of 2,048 words. Those words are converted into the seed that generates the wallet’s private keys. (trezor.io) (github.com) Once that backup becomes a phone photo, it can be copied like any other image. Malware, cloud sync, compromised photo libraries, fake support chats, and phishing sites all turn an offline secret into an online target. (ledger.com 1) (ledger.com 2) That risk is no longer theoretical. The Hacker News reported on April 24 that researchers found 26 fake wallet apps on Apple’s App Store that targeted recovery phrases, part of a broader wave of seed-phrase theft campaigns. (thehackernews.com) Ledger says attackers commonly impersonate support staff and urgent security alerts to trick users into typing their 24-word phrase into fake apps or websites. It says any request for the phrase is a scam. (ledger.com 1) (ledger.com 2) The low-tech alternative is still the industry standard: write the words down exactly, in order, and keep the backup offline in a place you control. Ledger recommends paper or engraved steel, and Trezor sells metal backup storage for the same reason. (ledger.com) (trezor.io) The rule is blunt because the consequence is blunt. If a seed phrase ever lives in your camera roll, it is no longer just your backup. (ledger.com) (trezor.io)
