Email scams have long been known. However, now users of Ledger hardware wallets are receiving packages with fake devices allegedly sent by the manufacturer.
In July 2020, Ledger announced a hack to its marketing database. The hacker attack did not affect the security of wallets, but led to the leakage of a million emails, and its consequences are still felt even after a year.
A Ledger hardware wallet user whose data was also “leaked” posted on Reddit photos of a fake Ledger Nano X wallet that he received in the mail from scammers. The device was wrapped in a “proprietary” package, but the package had many suspicious signs. The package included a poorly written letter purportedly signed by Ledger CEO Pascal Gauthier, guaranteeing that such a breach and information leak would never happen again.
The letter stated that for security reasons, the company sent the user a new device that he must now use to keep his cryptocurrencies safe. It was accompanied by instructions for setting up and using a new wallet. The user was required to enter a special recovery phrase in order to connect the wallet to the new hardware.
Naturally, with the introduction of this phrase, the user will personally provide the attackers with access to his wallet. “Gift” devices are designed to transfer the phrase entered by the user to a device controlled by fraudsters. Subsequently, they can use it to steal cryptoassets. Security Specialist Mike Grover commented on the photographs showing the original and counterfeit circuit boards.
“This is a regular flash card attached to a Ledger wallet for injecting malware. Since all the components are on the other side, it is impossible to say with certainty if this “tool” is just a storage device. However, judging by the soldering, this is just a mini-flash drive without a case. On the back of the device you can see a flash memory card ‘implant’ and four wires connected to the same pins on the Ledger’s USB port, ”Grover said.
Ledger warned its customers about the possibility of receiving fake parcels with a hardware wallet as early as May 10. The company’s management urged users to never connect a fake device to a computer or enter 24 words into a fake Ledger Live app. Ledger will never require users to provide their passphrase.
In April, a class action lawsuit was filed against Ledger. The wallet maker is accused of not being convinced of the safety of the e-commerce platform Shopify, because of whose actions the information began to be leaked.
