Several Ledger users have reported receiving fake replacement devices in the mail. The new devices are designed to phish private security information. Consequences of Ledger’s major data breach are continuously being felt nearly one year later.
A contributor to the Reddit r/ledgerwallet forum, posting under the tag “u/jjrand” and self-identified as being among the victims of last year’s breach, has published images of what seems to be a fake Ledger Nano X wallet received in their postal mail.
Wrapped in somewhat authentic packaging, the device nevertheless featured multiple red flag signs that sparked his suspicion. Most strangely, the new device came with a poorly written letter alleging to be signed by Ledger CEO Pascal Gauthier, informing its recipient:
“For security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”
Apart from that letter, u/jirand also got a fake manual that enclosed instructions about how to use the new device and, critically, asking the recipient to enter their private Ledger recovery phrase to enable them to connect their crypto wallet to the new hardware.
Based on additional images displaying the device’s circuit board uploaded on Reddit, security researcher Mike Grover told BleepingComputer said that this fake device was already tampered with:
“This seems to be a simple flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery. All of the components are on the other side, so I can’t confirm if it is JUST a storage device, but […] judging by the very novice soldering work, it’s probably just an off-the-shelf mini flash drive removed from its casing.”
Grover focused on a section of the back of the device that showed the flash drive implant, noting that:
“those 4 wires piggyback the same connections for the USB port of the Ledger.”
Based on Gover and BleepingComputer’s analysis, it seems like the heist is perfectly designed to intercept the user’s entered recovery secret phrase to reroute the details to a gadget or device entirely controlled by the scammers. The criminals then use the entered phrase to steal the associated crypto holdings.
In a May 10 online post that was not cited by u/jirand, Ledger had warned its users against the fake letter and device, saying:
“The fake user guide in the Nano’s box asks the user to connect the device to a computer. To initialize the device, the user is then asked to enter his 24 words in a fake Ledger Live application. This is a scam. Do not connect the device to your computer and never share your 24 words. Ledger will never ask you to share your 24-word recovery phrase.”
While that warning comes as part of Ledger’s online list of phishing activities of which the firm is already aware, it is not yet determined whether the firm has reached out to its users directly, mostly those whose leaked details might leave them more susceptible to falling for this syndicate.
Ledger is yet to respond to this matter. But according to previous reports, other consequences of the data leak included Ledger getting emails from extortionists who threatened with physical violence and other criminal attacks.
The initial data breach had happened in June and July of 2020 and featured 1,075,382 email addresses from users who had subscribed to the Ledger newsletter. Notably, it involved the leak of personal information like home addresses that are associated with 272,853 hardware wallet orders.