The consequences of Ledger’s major data breach continue to be felt almost a year later. One contributor to the r/Ledgerwallet forum on Reddit, writing under the tag u/jjrand and self-identified as one of those affected by the breach, has posted images of what appears to be a fake Ledger Nano X wallet received in the mail.
Wrapped in seemingly authentic packaging, the device nonetheless included several tell-tale signs that sparked the contributor’s suspicion. Most jarringly, the package came together with a poorly written letter claiming to be signed by Ledger CEO Pascal Gauthier, telling its recipient:
“For security purposes we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”
Aside from the letter, u/jjrand also received a fake manual, enclosing instructions regarding how to use the device and, crucially, asking that the user enter their private Ledger recovery phrase to connect their cryptocurrency wallet to the new hardware. On the basis of further images showing the device’s circuit board uploaded to Reddit, security researcher Mike Grover told BleepingComputer that the fake device was tampered with:
“This seems to be a simply flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery. All of the components are on the other side, so I can’t confirm if it is JUST a storage device, but [...] judging by the very novice soldering work, it’s probably just an off the shelf mini flash drive removed from its casing.”
Grover highlighted a section of the back of the device, showing the flash drive implant and noting that “those 4 wires piggyback the same connections for the USB port of the Ledger.”
On the basis of Grover and BleepingComputer's analysis, it appears that the heist is designed to intercept the user’s entered recovery phrase in order to reroute the details to a device controlled by the scammers, which they can then use to steal the associated cryptocurrency holdings.
In an online post dated May 10 but not cited by u/jjrand, Ledger had already warned customers against the fake letter and device, stating that:
“The fake user guide in the Nano’s box asks the user to connect the device to a computer. To initialize the device, the user is then asked to enter his 24 words in a fake Ledger Live application. This is a scam. Do not connect the device to your computer and never share your 24 words. Ledger will never ask you to share your 24-word recovery phrase.”
The warning is thus included as part of Ledger’s online list of phishing campaigns of which the company is aware. Ledger told Cointelegraph that it is trying to alert its customers – especially those whose leaked details may leave them more susceptible to falling for similar ruses – about the risks they continue to face. In an email, a company representative said that:
"We communicated several times to our customer base to explain to them what happened with the data leak in 2020 and how they could protect themselves via email, social media communications and we regularly participate to AMAs, podcasts and conferences to give all the tools to avoid being trapped in scams and phishing attempts."
As previously reported, other consequences of the data leak have included Ledger users receiving emails from extortionists threatening physical violence or other criminal attacks. The original data breach had occurred in June and July 2020 and included 1,075,382 email addresses from users subscribed to the Ledger newsletter. It notably also involved the leak of personal information (including home addresses) associated with 272,853 hardware wallet orders.