Ledger customers have reported receiving fake replacement devices in the mail, designed to phish private security information.
The consequences of Ledger’s major data breach continue to be felt almost a year later. One contributor to the r/ledgerwallet forum on Reddit, writing under the tag “u/jjrand” and self-identified as one of those affected by the breach, has posted images of what appears to be a fake Ledger Nano X wallet received in the mail.
Wrapped in seemingly authentic packaging, the device nonetheless included several tell-tale signs that sparked the contributor’s suspicion. Most jarringly, the package came together with a poorly written letter claiming to be signed by Ledger CEO Pascal Gauthier, telling its recipient:
“For security purposes we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”
Aside from the letter, u/jirand also received a fake manual, enclosing instructions regarding how to use the device and, crucially, asking that the user enter their private Ledger recovery phrase to connect their cryptocurrency wallet to the new hardware. On the basis of further images showing the device’s circuit board uploaded to Reddit, security researcher Mike Grover told BleepingComputer that the fake device was tampered with:
“This seems to be a simply flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery. All of the components are on the other side, so I can’t confirm if it is JUST a storage device, but […] judging by the very novice soldering work, it’s probably just an off the shelf mini flash drive removed from its casing.”
Gover highlighted a section of the back of the device showing the flash drive implant, noting that “those 4 wires piggyback the same connections for the USB port of the Ledger.”
On the basis of Gover and BleepingComputer’s analysis, it appears that the heist is designed to intercept the user’s entered recovery phrase in order to reroute the details to a device controlled by the scammers, which they can then use to steal the associated cryptocurrency holdings.
Related: Ledger data leak: A ‘simple mistake’ exposed 270K crypto wallet buyers
In an online post dated May 10 but not cited by u/jirand, Ledger had already warned customers against the fake letter and device, stating that:
“The fake user guide in the Nano’s box asks the user to connect the device to a computer. To initialize the device, the user is then asked to enter his 24 words in a fake Ledger Live application. This is a scam. Do not connect the device to your computer and never share your 24 words. Ledger will never ask you to share your 24-word recovery phrase.”
While the warning is included as part of Ledger’s online list of phishing campaigns of which the company is aware, it is not clear whether the company has reached out to users directly, especially those whose leaked details may leave them more susceptible to falling for the ruse.
Cointelegraph has reached out to Ledger for comment and will update this article with further information regarding this issue.
As previously reported, other consequences of the data leak have included Ledger users receiving emails from extortionists threatening physical violence or other criminal attacks. The original data breach had occurred in June and July 2020 and included 1,075,382 email addresses from users subscribed to the Ledger newsletter. It notably also involved the leak of personal information (including home addresses) associated with 272,853 hardware wallet orders.