Criminals Are Sending Malicious Hardware Wallets to Steal People's Crypto

In the world of cryptocurrency, your cryptographic keys control your coins. Some users, seeking more security, turn to offline "hardware wallets" to store their keys. Now, owners of Ledger hardware wallets are being sent fraudulent devices in a scam aimed at stealing their cryptocurrency.

On Wednesday, BleepingComputer spotted that a Reddit user going by "jjrand" posted that they received a random package claiming to be from the hardware wallet company, containing a seemingly legit Ledger Nano X device. The official-looking, shrink-wrapped package also contained an installation manual that looks like it was created on Microsoft Word and a letter purportedly signed by Ledger CEO Pascal Gauthier telling the recipient to use it to replace their existing product due to a data breach. 

“We now guarantee that this kinda breach will never happen again,” the letter reads. As it turned out, however, the device wasn’t from Ledger; it was all a ruse.

Ledger customers have been targeted by a series of phishing campaigns after the company experienced a data breach last year. The company has started using its website to disclose ongoing phishing campaigns, including this recent one reported by jjrand, and to advise customers on how to avoid being scammed. 

Jjrand posted about this phishing attempt, which they described as “next level,” as a warning to others on the r/LedgerWallet subreddit. Nicholas Bacca, Ledger co-founder, confirmed in a comment on Reddit that it was a fake device and advised them not to use it. 

This is at least the second time that a Ledger user was sent a fraudulent device as part of a scam, based on Ledger's blog entries.

According to Ledger’s description of the most recent incident, the product was actually a “tampered” Ledger Nano X, with a flash drive component attached to the circuit board. It contained a fake Ledger application that asks the user to input their 24-word recovery phrase, which would allow scammers to access and transfer the person’s cryptocurrencies. This recovery phrase secures users’ cryptocurrencies and should never be shared, even with the company, according to Ledger. 

“We need every crypto user to educate themselves about the blockchain and what it means to have great responsibilities and power,” Benoît Pellevoizin, Ledger’s vice president of marketing, told Motherboard. 

Phishing attempts against Ledger users have become so rampant recently that customers have taken to subreddits for advice or speculation regarding resellers, deliveries, and hardware authenticity. The r/LedgerWallet subreddit even features a bot that comments on posts about scams and notes that the subreddit is “continuously targeted by scammers.” Some posters have reported receiving private messages on Reddit containing suspicious links. 

Ledger announced a data breach in July 2020, where an unauthorized third party breached their e-commerce database, gaining access to customers’ contact information, full names, and addresses. A blog post was published on the company’s website describing the breach in detail and claiming that clients’ payment information and crypto was not compromised. 

In December, data from over 270,000 Ledger customers was published on the RaidForums hacking forum. Since then, Ledger has detailed every phishing campaign that has been reported to them on its website–ranging from malicious resellers on Amazon to scam emails and blackmail. 

According to Ledger's site, 392 phishing websites have been shut down since October 2020. Pellevoizin explained that France-based Ledger does work closely with the French authorities and law enforcement to investigate these phishing campaigns when they’re brought to their attention. “It's just the beginning,” he told Motherboard.