Latest Threat Research: Technical Analysis: Killer Ultra Malware Targeting EDR Products in Ransomware Attacks

Get Informed


Criminals Ship Fake Ledger Devices to Targeted Customers After Data Breach

Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets. Ledger is a manufacturer of hardware wallets for cryptocurrency, and it has been a popular target by scammers lately with rising cryptocurrency prices and the increasing popularity of hardware wallets to secure crypto funds. In a post on Reddit, a Ledger user shared a devious scam after receiving what looks like a Ledger Nano X device in the mail. The Reddit user posted photos of a device that came in an authentic looking package that contained a poorly written letter explaining that the device was sent to replace their existing one as their customer information was leaked online on the RaidForum hacking forum. “For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device,” read the fake letter claiming to be from Ledger. “For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.” Even though the letter was filled with grammatical and spelling errors, the data for 272,853 people who purchased a Ledger device was actually published on the RaidForums hacking forum in December 2020. This made for a slightly convincing explanation for the sending of the new device. The enclosed instructions tell the person to connect the Ledger to their computer, open a drive that appears, and run the enclosed application. The instructions then tell the person to enter their Ledger recovery phrase to import their wallet to the new device.​ A recovery phrase is a human-readable seed used to generate the private key for a specific wallet. Anyone who has this recovery phrase can import a wallet and access the cryptocurrency it contains. After entering the recovery phrase, it is sent to the attackers, who use it to import the victim’s wallet on their own devices to steal the contained cryptocurrency funds. Ledger is aware of this scam and has posted warnings about it in May on their website.

Analyst Notes

All Ledger customers are advised to be suspicious of any unsolicited email, package, or text claiming to be related to their hardware devices. Ledger recovery phrases should never be shared with anyone and should only be entered directly on the Ledger device you are trying to recover. If the device does not provide the ability to enter the phrase directly, you should only use the Ledger Live application downloaded directly from