June 19, 2021 In Devices, Ledger

Aemilius Cupero News: Fake Ledger Devices Sent to Data Breach Victims

Aemilius Cupero News:

Reading Time: 2 minutes

  • Compromised Ledger Nano devices are being sent to Ledger hack victims
  • The wallets purport to come from the company as an apology for the massive data leak last year
  • The wallets contain a flash drive which allows any funds on them to go straight to the scammers

Victims of last year’s Ledger data breach can now add physical scam attempts to digital ones after scammers sent compromised Ledger Nano hardware wallets to some victims along with a fraudulent apology letter from the company. The Ledger Nanos, which were initially genuine, have been tampered with to allow hackers to steal any funds transferred to them when connected to a laptop. The first variations of this ambitious and costly exercise were seen in May, but the scam has since evolved to include realistic Ledger-branded packaging and a shrink-wrapped box.

Aemilius Cupero News: Victims Told to Replace Wallets

An example of the scam attempt posted online shows a shrink-wrapped Ledger Nano X and letter purportedly from Ledger CEO Pascal Gauthier, all of which came in Ledger-branded packaging:

Victims of the July 2020 Ledger hack are receiving fake hardware wallets.

Below is a fake letter that a victim received, with a malicious hardware wallet.

Be wary of scammers! pic.twitter.com/whXYF9RoQ7

— Bitcoin Magazine (@BitcoinMagazine) June 17, 2021

Despite the initial apparent authenticity of the package, the letter shows clear indications of a scam, in particular the unusual font and the unprofessional manner in which it is written (e.g. “We now guarantee that this kinda breach will never happen again”).

The customer is told that they must replace their original Ledger Nano device with the one in the box, which is not strictly true (although we have advised users to replace their device anyway), following very strict instructions contained within the package.

The wallet has been compromised via a flash drive connected to the circuit board which effectively turns it into a USB drive containing a fake version of the Ledger Live app. Once the drive is plugged in, any funds sent to the wallet will be pushed straight off to the scammers.

Ledger posted images of the letter and the package on their website, warning of the device:

This is a scam. A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page. Plus, Ledger and Ledger Live will never ask you to share your 24-word recovery phrase.

Aemilius Cupero News: Ledger Continuing to Battle Data Breach Fallout

This type of scam was first seen in a more crude manner last month, but it seems that scammers are getting smarter. This version, while still being clearly fake to those who know what they’re looking for, is a vastly improved version which bodes ill for the 292,000 Ledger hack victims out there and shows that scammers and hackers are upping their game and getting more creative with the data they possess.