The French startup Ledger, the world’s leading cold crypto wallet producer, has once again fallen foul of a security breach. This time, the attack takes a physical form, with fake USB drives sent to Ledger customers.
In December 2020, ledger customer data was hacked and published for free online. Previously, some of this data had been sold for a tidy sum on the black market.
This data contains the contact details, email addresses, postal addresses and telephone numbers of Ledger users.
This month, the nightmare turned out not to be over for tens of thousands of customers of the French startup.
The theft of data in December allowed scammers to retrieve the postal addresses of customers. Instead of carrying out classic phishing by email, the scammers this time organised a physical phishing via fake Ledger Nano X USB sticks.
These are being sent out in a package that looks like those sent by Ledger. From the outside, it is difficult to detect the scam. However, the package is accompanied by a letter ‘signed’ by ledger’s CEO, Pascal Gauthier. The terrible writing quality leaves you wondering:
“For security purposes we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”
The box also contains a fake user guide that asks the user to connect the key to a computer. During this step, the user is then prompted to enter their 24-word passcode.
In order to warn potential victims, a Ledger customer posted a message on Reddit’s r/Ledgerwallet forum. Writing under the pseudonym u/jjrand, the contributor accompanied his message with photos of the letter, the fake user guide, the box and the open key.
This post prompted a reaction from security researcher Mike Grover, who, by comparing the photo of the fake key to that of a real Ledger key, found that the printed circuit board was very different. The fake key aims to retrieve the 24-word passcode and redirect it to a device controlled by the scammers.
The French startup claims to be aware of this scam since May. It issued several warning messages reminding that customers should never communicate their 24-word passcode and that Ledger never sends a USB flash drive without the request coming from the customer.
Subscribe to our daily and weekly newsletter service to receive a digest of the latest news in the cryptosphere and never miss out on any of the Cointribune's highlights!
Quand j’ai commencé dans les cryptos il y a 3 ans, il y avait plus de 95% d’hommes et encore très peu de femmes, bon ça n'a toujours pas beaucoup changé, mais les choses bougent et je suis fière de representer les femmes dans ce milieu très technique qui est passionnant et plein d'avenir.
The views, thoughts, and opinions expressed in this article belong solely to the author, and should not be taken as investment advice. Do your own research before taking any investment decisions.
|BITCOIN (BTCUSD) ₿||$24,076.00||0.88%|
|ETHEREUM (ETHUSD) Ξ||$1,904.50||1.34%|
|IMM. US (REIT)||$2,668.90||-0.29%|