Ledger hardware-wallet users received by mail new devices that purportedly would protect them from the consequences of the breach that occurred in the summer of 2020. In reality, the ‘wallets’ have been modified by hackers and are designed to steal cryptocurrency. This was reported by a member of the Ledger community on Reddit under the username jjrand.
The device is packaged in convincingly authentic packaging and outwardly resembles a Ledger Nano X. A letter full of grammatical and spelling errors accompanies the package. In it, unknown individuals on behalf of the company stated that the ‘wallet’ has been sent as a replacement for the existing one and is intended to safeguard customers’ security.
Source: Reddit.
“We have redesigned the structure of our device. We now guarantee that such a breach will never happen again. You must switch to the new device,” the letter states.
Users compared the printed circuit boards of the original and the device received in the package. In the photos, their differences are visually evident:
Front view of fake Ledger hardware wallet. Source: Reddit.
Original Ledger hardware wallet front view. Source: Ledger.
Security researcher Mike Grover, after reviewing the photos, concluded that the attackers had added USB flash-drive components to the device.
“It looks like it’s just a flash drive attached to a Ledger, intended to deliver some malware. All components are on the other side, so I can’t confirm that the device functions only as a memory. But judging by the soldering, it’s probably just a mini flash drive without a case,” he said.
Grover added that the flash-drive implant has four wires connected to the Ledger’s USB-port-like pads.
Back view of fake Ledger hardware wallet. Source: Reddit.
Original Ledger hardware wallet back view. Source: Ledger.
The device comes with a setup guide. The user is asked to connect the “Ledger” to their computer and run the accompanying app. After that, the program prompts for a recovery phrase to supposedly import the wallet onto the new device.
If the user enters this information, the attackers will be able to access their wallet and steal the cryptocurrency stored on it.
Representatives from Ledger said they were aware of this scam and in May they had already warned users about it.
The company once again urged customers to use software only from the official Ledger.com site and not to share the recovery phrase with anyone.
As reported, the data leak of one million Ledger users occurred on June 25, 2020. An unknown party gained access to users’ email addresses, names, and phone numbers.
At the end of October, a user under the nickname Polaris posted the database on the hacker forum exploit.in. A user named hyperdrill bought it for 5 BTC.
On December 21, these data were publicly available via the RaidForums forum, where anyone could download them.
In early 2021, Ledger Nano wallet owners began receiving threats from unknown individuals demanding a ransom of 0.3 BTC or 10 ETH. The letters contained the victim’s full name and home address, as well as threats of physical harm if the terms were not met within 24 hours.
The Ledger developers announced a reward of 10 BTC for help in locating cybercriminals.
In April, the Roche Freedman law firm filed a class-action lawsuit in a San Francisco court against Ledger and Shopify. They valued the losses from the leak at over $5 million.
Subscribe to ForkLog news on Telegram: ForkLog Feed — the full news stream, ForkLog — the most important news, infographics and opinions.