Ledger users are receiving threatening emails in the wake of the hardware wallet manufacturer reporting that 20,000 more of its customers have been affected by another massive data breach.
One or more extortionists using the names Darrin Burlew and Denni Hornig have reportedly sent emails to users who say their personal information was released as a result of the data breach at Ledger in June and July of last year.
Reddit user Crypthomie, a former flight attendant based in the United Arab Emirates, said his Ledger owning father received a message today. The email included his name, home address, and phone number and demanded 0.3 Bitcoin (BTC) or 10 Ether (ETH) — worth roughly $12,000 — or he'd face physical violence. Crypthomie made headlines in the crypto space last by being unable to pay back a $100,000 loan to buy BTC at the height of the 2017 bull run.
“I am taking this very seriously and Ledger has made a very big mistake,” said the Redditor. “I know that those scammers sending emails by hundreds are just trying their luck by creating fear, but when it comes to the safety of your family it's another story.”
“Don't be fooled people, no one will come to your home to kill you but this feeling of insecurity is a scandal and Ledger has to do something about it.”
Other Ledger users report receiving similar emails with demands for a crypto ransom to be paid within 24 hours or they will face “horrifying” consequences.
“Are you able to imagine all the possible consequences that can occur to you and your loved ones?” said the scammer in another email. "I hope you do not ruin every little thing for yourself by making the wrong choice.”
While real world attacks to steal cryptocurrency are much rarer than hacks or scams, they do occur. Bitcoin engineer Jameson Lopp (who lives off the grid) maintains a list of news articles reporting attacks in “meatspace” to steal cryptocurrency.
The threats came a day after Ledger announced that data from roughly 20,000 more users had been leaked via Shopify, blaming “rogue members” the platform’s support team.
The original data breach in June and July 2020 included 1,075,382 email addresses from users subscribed to the Ledger newsletter, and the personal information (including home addresses) of 272,853 hardware wallet orders. Cointelegraph reported last month that the hackers responsible for the breach had made all the Ledger customers’ information publicly available, increasing the risk of phishing attacks, blackmail, and kidnapping.
In response to these attacks, Ledger stated it would be working with analytics firm Chainalysis and others to keep track of the scammers’ wallets. Ledger said it will report any illicit transactions to law enforcement, at which time it may be able to “freeze the crypto assets should they land on exchanges.” Ledger has also arranged a bounty of 10 BTC — roughly $390,000 at the time of publication — ”for information leading to successful arrest and prosecution” of the scammers.
However, some Ledger users who believe they are still at risk seem unsatisfied with the firm’s response, expressing incredulity over the lack of security and demanding compensation.
“That 10 BTC bounty fund should be given to the affected customers and not the bounty hunter,” said Twitter user CryptoPilot2.
Others pointed out the irony in a firm offering high-end crypto security suffering such a massive data breach. "I was about to buy your wallet and saw the news the next day,” said user illtech8.
“Your entire brand is based upon trust, and now nobody trusts you. There isn't a recovery from this.”