• Scammers have started another campaign to steal crypto from Ledger hardware wallet users whose data was exposed in the 2020 data breach.
• Users receive a fake ledger hardware wallet and a letter directing them to replace their existing hardware wallets to secure their funds. 

In June 2020, an unauthorized third party accessed Ledger’s e-commerce and marketing database through an API key. According to the company, 1 million email addresses of its customers were exposed. A further investigation disclosed that a subset of 9,500 ledger hardware wallet users was affected. Some of the data exposed include first names, last names, phone numbers, ordered products, and postal addresses. 

In December 2020, data of 272,853 persons who purchased a Ledger hardware wallet were published on a hacking forum called RaidForums. Since then, the affected users have received a series of fake emails with malicious links meant to steal their 24-word recovery phrases.

The most recent campaign targeted at Ledger users and confirmed by the company is the mailing of fake ledger devices to users to steal their cryptos. These devices are enclosed in an authentic-looking package with a ledger logo. The box is wrapped as if it has never been opened, and contains a tampered ledger wallet and a fake letter. The letter directs customers or users to replace their existing hardware wallets to secure their funds. 

A flash drive implant has been connected to the printed circuit board which contains a file with a fake Ledger live app. The nano box has an instruction that asks users to connect the device to their computer. It then asks them to open a drive and run the fake Ledger live app. 

Now comes the trick

Users are asked to enter their 24-word recovery phrase in the fake ledger live app to initialize the device. The scammers get access to the phrase and use it to generate the private keys, import the wallet and access the stored crypto. 

A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page.

Comparing the printed circuit board of both the fake and the real ledger reveals that the former has been modified. A security researcher and offensive USB cable or implant expert Mike Grover confirmed to Bleepingcomputer that there is a flash drive strapped onto the ledger to serve as a malware delivery. According to him, the fake ledger could be an “off-the-shelf mini flash drive removed from its casing”. However, it is difficult to judge if it is just a storage device since all of the components are on the other side. 

Be suspicious of receiving a free Ledger hardware wallet

An update on the ledger website reveals that the phishing campaign has been ongoing since December 2020. Users were initially tricked into downloading a fake ledger live app with the claim that the site has been breached. In January 2021, users were asked to click on a malicious link to confirm whether they attempted to connect to their device. The scammers have continuously updated their techniques to steal cryptos from users. 

Ledger chief information security officer Matt Johnson has said that the company is aware of the current campaign, and has added it to their list of ongoing malicious campaigns listed on their site.

You should be suspicious of receiving a free product in the mail that you didn’t order and check Ledger’s official channels or contact the Ledger support team.