Crypto-hodlers, stay cautious. After a 2020 data breach, hardware wallet company Ledger is used in a new phishing scam.
It has come out that scammers are shipping fake hardware wallets to people whose data was gathered via a third-party data breach. The wallets contain specifically designed hardware to steal the user’s crypto once connected to the internet.
The scammers have gone through great lengths so far. First noticed in May, the scammers inserted their hardware to the housing of a Ledger Nano wallet while packaging it in a Ledger box. Most recent findings show that the thiefs add to the façade by including a sealed bag with Ledger’s logo on it, and even shrink-wrapping the box itself, to make it look as if it was never opened.
In a blog post on Thursday, Ledger explained the scam and said the counterfeit box includes a fake letter saying:
“You need to replace your existing hardware wallet to secure your funds. This is a scam. The Ledger Nano is fake.”
After connecting the flash drive with a fake Ledger app and running the malicious file, the user is then asked for their 24-word recovery phrase. This phrase will then be used to generate the wallet’s private keys, letting the scammer import your wallet and access the funds.
Ledger Chief Information Security Officer Matt Johnson commented on the matter and said:
“We are aware of this scam, which we have included in our list of ongoing malicious attacks listed on our website. You should be suspicious of receiving a free product in the mail that you didn’t order and check Ledger’s official channels or contact Ledger support team.”
Johnson continued and confirmed that Ledger and Ledger Live will never ask users to share their 24-word recovery phrase, that Ledger communicates securely through Ledger Live, never by mail or phone. He also stressed that the company would never mail anything to user without their consent.