scammers have been mailing altered Ledger devices to steal crypto

Scammers have been mailing altered replacement devices to Ledger customers revealed in a recent data breach. These are then used to steal cryptocurrency wallets.

Made by Ledger, a company based in Paris,France – Ledger wallets are hardware crypto wallets used to store private keys offline for cryptocurrencies.

Ledger has been a well known target by scammers presently with the rising cryptocurrency prices and the prevalence of hardware wallets to secure crypto funds.

Posted on Reddit, a Ledger user shared a dubious scam after receiving what looks similar to a Ledger Nano X device in the mail.


packaged altered Ledger device with a fake letter (source: reddit)

It can be seen from the image above that the device came in a genuine looking packaging, but with a badly written letter justifying that the device was sent to substitute their existing one as their customer details were disclosed online on the RaidForum hacking forum. The letter reads, “We have sent you a new device you must switch to a new device to stay safe.”

Although the letter contains a lot of grammatical errors and looks obviously fake, as a matter of fact, the data breach actually happened with 272,853 Ledger users on the RaidForum hacking forum in December 2020. This fact made the sending of a new device slightly convincing.

The package also had a shrink-wrapped Ledger Nano X box that included a legitimate looking device.


shrink-wrapped ledger nano x box (source: reddit)

After becoming suspicious of the sketchy device, they opened it and posted photos of the Ledger’s printed circuit board on Reddit that evidently show the device was altered.


front of fake Ledger hardware device (source: reddit)


front of authentic Ledger hardware device (source: ledger)

Looking at the photos, security researcher and offensive USB cable/implant expert Mike Grover, also known as  MG, told the user BleepingComputer that the scammers wired a flash drive to the USB connector. He further said that it seems to be merely a flash drive attached to the Ledger for malware delivery purposes.

In the images below, one can clearly see the difference between a fake Ledger hardware wallet and an authentic one.


fake ledger device (source: reddit)


real ledger device (source: ledger)

The instructions that came with the fake device told the user to connect the Ledger to their computer, open a drive that shows up, and then run the application. Then the instructions required the person to enter their Ledger recovery phrase so that their new device could have the imported wallet.


instructions that came with the altered device (source: reddit)

A recovery phrase is a seed that can be read by humans and is used to generate a particular wallet’s private key. Anyone who has this recovery phrase can import a wallet and have access to the crypto it incorporates.

The when the recovery phrase is entered, it is sent to the scammers, who then use it to import the victim’s wallet on their own devices to steal the included crypto funds.

Ledger is well aware of this con trick and has posted cautions regarding this in May on their dedicated phishing page.

As usual, Ledger recovery phrases should in no case be told or discussed with anyone and should be only entered directly on the device that you’re trying to get back. If the benefit of entering the phrase directly isn’t offered by the device, you should make use of only the Ledger Live application downloaded directly from Ledger.com.

In 2018, security researchers demonstrated different ways that could be used to compromise hardware cryptocurrency wallets, consisting of the Ledger Nano S, Ledger Blue, and Trezor One devices.

The number of these scams increased as the contact information for 270,000 owners of Ledger was displayed on the RaidForums hacker forum back in December 2020.

This very fact has in turn led to phishing scams claiming to be more Ledger data breach notifications, SMS phishing texts, and software upgrades on sites pretending to be Ledger.com.

Every Ledger user is advised to be wary of any unsolicited email, package, or text asserting to be in relation with their hardware devices.