Scammers are reportedly attempting to steal cryptocurrency wallets from Ledger customers by shipping them fake hardware accompanied by a letter claiming the potential victim’s existing device isn’t secure.
Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date.
The company also suffered a data breach in July 2020. It said in December 2020 that “approximately 1 million email addresses” and “9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify” were shared to a database marketplace known as RaidForums. That information has since been used in phishing campaigns like this one.
BleepingComputer reported that this particular campaign involved a modified Nano X, which shipped in the original packaging and shrink-wrapped to make it seem like an official delivery, that shipped with a letter purporting to be from Ledger CEO Pascal Gauthier. The letter claimed the intended victim’s information was affected by the RaidForums leak and that they needed to switch to the new device as a result.
This particular victim decided to take a closer look at the modified Nano X, however, and they discovered that it contained a flash drive that isn’t present on the actual hardware. That drive would most likely be used to install malware designed to compromise the Ledger recovery phrase—and therefore the private key used to secure the wallet—so the scammers could then steal the victim’s cryptocurrency.
Recommended by Our Editors
Ledger acknowledged these efforts on a section of its website dedicated to tracking phishing campaigns. “This is a scam. A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page,” it said. “Plus, Ledger and Ledger Live will never ask you to share your 24-word recovery phrase.”
The company also provides a guide to checking the integrity of Ledger Nano X-branded hardware. That guide includes pictures of the device’s PCB, its root of trust, and other information that can be used to make sure the device hasn’t been compromised. (It doesn’t appear to offer a similar guide for the Nano S.) It’s probably worth following that guide for every Nano X, even if it was legitimately ordered.