Ledger

Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.

Ledger has been a popular target by scammers lately with rising cryptocurrency prices and the popularity of hardware wallets to secure cryptofunds.

In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.

As you can see from the pictures below, the device came in an authentic looking packaging, with a poorly written letter explaining that the device was sent to replace their existing one as their customer information was leaked online on the RaidForum hacking forum.

"For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device," read the fake letter from Ledger.

"For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again."

Even though the letter was filled with grammatical and spelling errors, the data for 272,853 people who purchased a Ledger device was actually published on the RaidForums hacking forum in December 2020. This made for a slightly convincing explanation for the sending of the new device.

Packaging and letter for the fake Ledger device
Packaging and letter for the fake Ledger device
Source: Reddit

Also enclosed in the package was a shrinkwrapped Ledger Nano X box that contained what appeared to be a legitimate device.

Enclosed shrinkwrapped Ledger device
Enclosed shrinkwrapped Ledger device
Source: Reddit

After becoming suspicious of the device, they opened it and shared pictures of the Ledger's printed circuit board on Reddit that clearly show the device was modified.

Front of fake Ledger hardware wallet
Front of fake Ledger hardware wallet
Source: Reddit
Front of real Ledger hardware wallet
Front of real Ledger hardware wallet
Source: Ledger

Based on the photos, security researcher and offensive USB cable/implant expert Mike Grover, aka _MG_, told BleepingComputer that the threat actors added a flash drive and wired it to the USB connector.

"This seems to be a simply flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery," Grover told BleepingComputer in a chat about the photos.

"All of the components are on the other side, so I can't confirm if it is JUST a storage device, but.... judging by the very novice soldering work, it's probably just an off the shelf mini flash drive removed from its casing."

In the image below, Grover highlighted the flash drive implant connected to the wires while stating. "Those 4 wires piggyback the same connections for the USB port of the Ledger."

Back of fake Ledger hardware wallet
Back of fake Ledger hardware wallet
Source: Reddit
Back of real Ledger hardware wallet
Back of real Ledger hardware wallet
Source: Ledger

The enclosed instructions tell the person to connect the Ledger to their computer, open a drive that appears, and run the enclosed application.

The instructions then tell the person to enter their Ledger recovery phrase to import their wallet to the new device.​

Fake Ledger instructions explaining how to transfer wallet to new device
Fake Ledger instructions explaining how to transfer wallet to new device
Source: Reddit

A recovery phrase is a human-readable seed used to generate the private key for a specific wallet. Anyone who has this recovery phrase can import a wallet and access the cryptocurrency it contains.

After entering the recovery phrase, it is sent to the attackers, who use it to import the victim's wallet on their own devices to steal the contained cryptocurrency funds.

Ledger is aware of this scam and has posted warnings about it in May on their dedicated phishing page.

As always, Ledger recovery phrases should never be shared with anyone and should only be entered directly on the Ledger device you are trying to recover. If the device does not provide the ability to enter the phrase directly, you should only use the Ledger Live application downloaded directly from Ledger.com.

In 2018, security researchers illustrated various methods that could be used to compromise hardware cryptocurrency wallets, including the Trezor One, Ledger Nano S, and Ledger Blue devices.

Ledger customers bomarded with scams

Ledger suffered a data breach in June 2020 after an unauthorized person accessed their e-commerce and marketing databasse.

This database was "used to send order confirmations and promotional emails – consisting mostly of email addresses, but with a subset including also contact and order details such as first and last name, postal address, email address and phone number."

Soon after, Ledger owners began receiving numerous phishing emails pointing them to fake Ledger applications designed to trick them into entering their wallet's recovery phrases.

These scams increased in frequency after the contact information for 270K Ledger owners was posted on the RaidForums hacker forum in December 2020.

This has led to phishing scams pretending to be further Ledger data breach notifications, SMS phishing texts, and software upgrades on sites impersonating Ledger.com.

All Ledger customers are advised to be suspicious of any unsolicited email, package, or text claiming to be related to their hardware devices.

Related Articles:

US moves to recover $2.3 million from "pig butchers" on Binance

Fake Leather wallet app on Apple App Store is a crypto drainer

Palestine crypto donation scams emerge amid Israel-Hamas war

KuCoin charged with AML violations that let cybercriminals launder billions

US sanctions crypto exchanges used by Russian darknet market, banks