Would-be hackers are still sending fake devices to crypto users affected by last year’s Ledger data leak, reports Bleeping Computer.
French crypto wallet maker Ledger previously warned customers of an “aggressive phishing campaign” following the leak. It seems those efforts persist.
One recipient recently shared images of a suspect device to Reddit, warning others of the sophisticated scam to phish crypto via the mail.
Fraudsters included a clumsily written letter purportedly signed by Ledger’s chief exec Pascal Gauthier. The note claimed the device was a replacement Ledger in response to the data breach.
“I have got a package from Ledger although I did not order one,” wrote the Redditor. “Inside the package, there is a brand new Ledger X and the letter attached.”
“As a victim of the latest Data Breach I have signed up reddit [sic] only to post this. Maybe someone from the company can confirm or deny it.”
The poster updated the post to say they’d opened the device and could see it had been tampered with.
- Last July, Ledger claimed it lost control of sensitive info related to 9,500 of its customers.
- Email addresses of over 1 million Ledger users were posted to RaidForums in December.
- More detailed data of 272,000 customers (names, mailing addresses, and phone numbers) were also leaked.
The fake devices were tagged with instructions, which directed the recipient to connect the phoney Ledger to their computers. It would then run pre-loaded software — most likely malware.
Dodgy USBs expert Mark Grover told Bleeping Computer: “This seems to be a simple flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery.”
Grover highlighted the fraudsters employed “novice soldering” to attach a basic USB storage drive to the Ledger USB port.
Users were also prompted to enter their 24-word recovery phrase to import their old Ledger wallet — this is how the hackers would get their hands on their mark’s crypto.
Paris-based Ledger first notified the public of the fake device scam in April. A report from March details a similar ploy, in which a prospective user bought a fake Ledger on Amazon.
Ledger leak causes prolonged headaches
While Ledger customers continue to deal with the fallout of the data leak, the company itself is facing legal repercussions.
In April, two phishing victims lodged a class action lawsuit against Ledger and Shopify (the latter processed the company’s online payments).
According to court docs, fraudsters have even pretended to represent the Stellar Lumin Foundation in a bid to steal crypto from Ledger users.
Earlier this year, Ledger offered a 10 BTC bounty ($321,000) for information that led to the capture of its hacker(s).