Fake Ledger devices mailed out in attempt to steal from cryptocurrency fans

In December last year, we reported how the email and mailing addresses of some 270,000 Ledger customers had been published on a hacking forum following a data breach

At the time we warned users of the hardware cryptocurrency wallet to watch out for phishing scams that might attempt to steal users’ credentials.

What we hadn’t predicted was that cybercriminals would use a rather more elaborate way to steal users’ credentials.

As Bleeping Computer reports, some Ledger customers have received fake replacement Ledger devices via the post, alongside a letter that claims it is a replacement hardware wallet that should be used in the wake of the earlier data breach.

In a Reddit post, a Ledger customer shares photographs of the package he received as well as the contents of the letter which purports to come from Ledger’s CEO:

Dear Ledger client, As you know, Ledger was targeted by a cyberattack that led to a data breach in July 2020. We were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June 2020. At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (name, surname, phone number and customer wallet information) that we were able to specifically identify. For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again. We deeply apologize for the inconvenience caused to you due to our faulty security systems. Note: This new device doesn’t work for new setups. You need to follow 6 step installation guide which is inside your box. Once you successfully installed you can start to use your new device.

Accompanying the letter was a shrinkwrapped Ledger box, containing a modified device.

Credit: u/jjrand @ Reddit

Of course, it’s easy to take the packaging for a Ledger Nano X, replace its contents with a fake hardware wallet, and then shrinkwrap it again.

Ledger has confirmed that the device purporting to be a Ledger Nano X inside the box is fake: “A flash drive implant has been connected to the printed circuit board. It contains a file with a fake Ledger Live app. There are enclosed instructions in the Nano box which ask the user to connect the device to their computer, open a drive and run the fake Ledger Live app. To initialize the device, the user is asked to enter his 24 words in the fake Ledger Live app. This is a scam. A Ledger Nano is not a USB device. It does not contain any application to download and install on your computer. The only way to download the Ledger Live app is by using the official download page. Plus, Ledger and Ledger Live will never ask you to share your 24-word recovery phrase.”

In short, if you make the mistake of plugging the device into your computer and running the program contained on the device, you are putting the security of your PC in peril and might be one step away from handing over the keys to any cryptocurrency you might have stashed away.

As attempts to break into cryptocurrency wallets go, it’s certainly more of a parlarver than the typical phishing attack or optimistic malware-laced email, and must take much more time for the attacker. But then, if you’re vying to break into somebody else’s cryptocurrency fortune that may well be time you believe well spent.

The best advice for owners of hardware wallets would seem to be to remain suspicious of all communications related to their devices – whether they be via email, phone, or parcel.