A type of scam linked to Ledger Wallets is still valid
Bitcoin (BTC) and other cryptocurrencies is, for many, for many, the safest method to protect these digital assets. Storing private keys on physical devices, such as Wallet Hardware, offers a level of security that online platforms hardly match when connected to the Internet.
However, attackers and hackers have found ways to exploit those solutions. One of the most frequently committed links is the supply chain, a point that the attackers explode to manipulate components of these devices and Incorporate malicious elementsas cryptooticias recently reported in relation to a model of the Trezor wallets.
Another type of fraud, which in this case involves adulterated Wallets hardware and that expanded between the late 2020 and the beginning of 2021 after the ledger data filtration in 2020, “has not disappeared”, according to an Intelligence On Chain (IOC) report, a safety research platform within the cryptocurrency ecosystem.
Thus this scam with intervened Ledgers began
The report details that, in 2021, James (fictitious name used by IOC to protect the identity of the victim) used a Wallet Ledger hardware in order to ensure their cryptoactive holdings, far from internet risks. One day, without prior notice, a Unexpected package reached his door.
The “Lucía Professional” packaging, with the official Ledger logo. Inside, he found a device that seemed original and a letter sent by the company’s CEO. The message explained that, due to a supposed security gaphis previous device was committed and had to be replaced by this new. The letter included James personal details, such as his name, address and email, which gave him a false feeling of authenticity.
The deception behind the device
The letter instructed James to configure the “new” device and, to “protect” their assets, enter their recovery phrase In an application I should download. Although he doubted, the apparent legitimacy of the package and the use of personal data convinced him, as explained by the IOC statement. When connecting the device and following the instructions, everything seemed normal. But in a matter of minutes, his Wallet was emptied. Assets such as Bitcoin, Ethereum (ETH) and NFT (non -fungible tokens) that had accumulated disappeared.
The device was not an authentic Ledger, but a modified replica with malware Designed to capture the recovery phrase and send it to the scammers. Once in their possession, the attackers accessed the funds and transferred them immediately.
Malware is a malicious software type designed to infiltrate, damage or compromise a device, network or computer system without user consent.
How did the attackers access the private data of “James”? How did they know that he had a Ledger in his possession? According to the IOC report, this scam took advantage of a ledger data filtration in 2020which presented the personal information of more than 270,000 clients. The scammers used this data to customize their attacks, causing the victims to trust the legitimacy of the packages.
Intelligence On Chain site research points out that Ledger Wallets were committed to manipulating their physical components. Specifically, it is likely that will weld a malicious USB memory to a genuine devicewhich contained the malware.
Community lessons and warnings
In response to the IOC report, social networks have indicated that these types of scams with replacement devices are not new. A user stressed that the use of external suppliers by Ledger It extends the opportunities for attackers to intercept and replace legitimate devices, a risk known as “man in the middle” attack.
Another user analyzed the letter received by James, noting that it contained writing errors that they should have raised suspicions, like a informal tone and false statementslike the device could not be used as a new Wallet. A third user stressed the importance of directly verifying with Ledger any suspicious communication, something that could have avoided loss.
As IOC indicates, a golden rule is that Ledger, nor any legitimate company manufacturer of wallets, will ever request the recovery phrase. Entering it in an uninquented device or an unknown application is an error that can cost everything.
The Ledger company offers a support link in which users can get help in similar cases to the aforementioned here.
The impact of 2020 leaks is still in force
The Ledger data gap in 2020 not only presented personal information, but also opened the door to a series of directed attacks. According to chainysis estimates cited by IOC, scams related to this filtration caused losses for at least 11 million dollars.
In Reddit forums, recent victims of similar attacks have shared experiences that They show the validity of this problem. A resident Ledger user of the United Kingdom reported at the end of January 2025: «My email, along with thousands of others, was in the filtration of Customer Data from July 2020. For months I received emails from scammers, but then decreased and barely received some for a couple of years. Now they have started again. They began to arrive after a call from someone who passed through the British police three months ago, first one or two emails per week, now one or two a day ».
Also last January, another user described: «I recently received a call from a woman who said to be from Ledger. He said that my device was committed and that I needed to execute a diagnosis to verify if it was corrupt. They had my full name, telephone number and mail. The website they sent me had a different domain to the Ledger officer. The site executes a diagnosis on your device, generates a false error message and asks you to enter your 24 recovery words ».
On the other hand, in December 2024, the researcher and detective known as Tony in X warned that This modality of fraud was reborn: “Someone has falsified Ledger’s official mail and is sending it so that people expose their recovery phrase.”
For users, the case of “James” and those willing here underline the importance of diligence. A wallet hardware, however it is, It is not infallible If its bearer falls into deceptions that compromise the recovery phrase. Verify the authenticity of any communication, avoid downloading software from unofficial sources and, above all, never share the 24 words are essential practices to protect assets.
