Scam alert: Ledger users receive fake hardware wallets
The French startup Ledger, the world’s leading cold crypto wallet producer, has once again fallen foul of a security breach. This time, the attack takes a physical form, with fake USB drives sent to Ledger customers.
Ledger plagued by new security breach
In December 2020, ledger customer data was hacked and published for free online. Previously, some of this data had been sold for a tidy sum on the black market.
This data contains the contact details, email addresses, postal addresses and telephone numbers of Ledger users.
This month, the nightmare turned out not to be over for tens of thousands of customers of the French startup.
The theft of data in December allowed scammers to retrieve the postal addresses of customers. Instead of carrying out classic phishing by email, the scammers this time organised a physical phishing via fake Ledger Nano X USB sticks.
These are being sent out in a package that looks like those sent by Ledger. From the outside, it is difficult to detect the scam. However, the package is accompanied by a letter ‘signed’ by ledger’s CEO, Pascal Gauthier. The terrible writing quality leaves you wondering:
“For security purposes we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”
The box also contains a fake user guide that asks the user to connect the key to a computer. During this step, the user is then prompted to enter their 24-word passcode.
A scam reported by a customer on Reddit
In order to warn potential victims, a Ledger customer posted a message on Reddit’s r/Ledgerwallet forum. Writing under the pseudonym u/jjrand, the contributor accompanied his message with photos of the letter, the fake user guide, the box and the open key.
This post prompted a reaction from security researcher Mike Grover, who, by comparing the photo of the fake key to that of a real Ledger key, found that the printed circuit board was very different. The fake key aims to retrieve the 24-word passcode and redirect it to a device controlled by the scammers.
The French startup claims to be aware of this scam since May. It issued several warning messages reminding that customers should never communicate their 24-word passcode and that Ledger never sends a USB flash drive without the request coming from the customer.
Back in 2017, when I started out in the crypto space it was 95% men and women were barely seen… and to be honest not much has changed, however there does seem to be light at the end of the tunnel. I am proud to represent women in this male dominated industry which is passionate and the future!