Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.
Ledger has been a popular target of scammers lately with the rise in cryptocurrency prices and the popularity of hardware wallets for securing cryptocurrencies.
In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail.
As you can see from the images below, the device came in authentic looking packaging, with a poorly written letter explaining that the device was sent to replace the existing one as their customer information was leaked online on the forum. RaidForum hacking.
“For this reason, for security reasons, we sent you a new device; you must switch to a new device to stay safe. There is a manual inside your new box that you can read to learn how to set up your new device,” read the fake letter by Ledger.
“For this reason, we have changed the structure of our device. Now we guarantee that this type of breach will not happen again.”
Despite the letter being full of grammatical and spelling errors, the data of 272,853 people who purchased a Ledger device was posted on the RaidForums hacking forum in December 2020. This resulted in a slightly compelling explanation for the shipment of the new device. .
Also included in the package was a wrapped Ledger Nano X box containing what appeared to be a legitimate device.
After suspecting the device, they opened it up and shared images of the Ledger’s printed circuit board. on Reddit that clearly show that the device was modified.
Based on the photos, offensive USB implant / cable expert and security researcher Mike Grover aka _MG_, told Bleeping Computer that the threat actors added a flash drive and plugged it into the USB connector.
“This appears to be simply a flash drive tied to the Ledger for the purpose of being some kind of malware delivery,” Grover told Bleeping Computer in a chat about the photos.
“All the components are on the other side so I can’t confirm if it’s JUST a storage device, but … judging by very novice soldering work, it’s probably just a ready-to-go mini flash drive that was removed from its casing. “
In the image below, Grover highlighted the flash drive implant attached to the leads as he said. “Those 4 cables have the same connections for the Ledger’s USB port.”
The accompanying instructions tell the person to connect the ledger to their computer, open a drive that appears, and run the attached application.
The instructions then tell the person to enter their Ledger recovery phrase to import their wallet to the new device.
A recovery phrase is a human-readable seed that is used to generate the private key for a specific wallet. Anyone with this recovery phrase can import a wallet and access the cryptocurrency it contains.
After entering the recovery phrase, it is sent to the attackers, who use it to import the victim’s wallet onto their own devices to steal the cryptocurrency funds contained therein.
Ledger is aware of this scam and has posted warnings about it in May in his page dedicated to identity theft.
As always, Ledger recovery phrases should never be shared with anyone and should only be entered directly on the Ledger device you are trying to recover. If your device does not provide the ability to enter the phrase directly, you should only use the Ledger Live app downloaded directly from Ledger.com.
In 2018, security researchers illustrated several methods that could be used to compromise hardware cryptocurrency wallets, including the Trezor One, Ledger Nano S, and Ledger Blue devices.
Ledger customers bombarded with scams
Ledger suffered a data breach in June 2020 after an unauthorized person accessed your marketing and e-commerce database.
This database was “used to send order confirmations and promotional emails, consisting mainly of email addresses, but with a subset that also includes contact and order details, such as first and last name, postal address, email address. email and phone number “.
Soon after, Ledger owners began receiving numerous phishing emails pointing to rogue Ledger apps designed to trick them into entering their wallet recovery phrases.
These scams increased in frequency after contact information for 270K Ledger owners was posted on the RaidForums hacker forum in December 2020.
This has led to phishing scams purporting to be more data breach notifications from Ledger, phishing SMS text messages, and software updates on sites posing as Ledger.com.
All Ledger customers are advised to be suspicious of any unsolicited email, packet, or text claiming to be related to their hardware devices.