With scammers reaching for increasingly creative measures to steal cryptoassets, customers of hardware wallet maker Ledger are being sent fake ‘replacements’ for their devices.
A fake Ledger Nano X was allegedly sent to a Reddit user who disclosed the accompanying letter written by scammers posing as the company’s CEO Pascal Gauthier.
“As a victim of the latest Data Breach I have signed up reddit only to post this,” the user, who goes by the name of jjrand, said. “So beware guys, this is really some next level of scam attempt.”
Ledger indeed came back with a reply to the user.
“It’s a fake device, do not use it. We’ve been investigating this scheme already,” Nicolas Bacca, Co-Founder of Ledger, said. Bacca attached a link for a phishing attack warning posted May 10 this year – meaning that this scam has been making rounds for a while now.
The letter makes reference to the massive data dump Ledger had suffered last year, which it self had followed the June data breach. At the time, a database containing some 1 million email addresses of Ledger users and more than 270,000 physical addresses and phone numbers was dumped on Raidforums, a website for sharing hacked databases. This created targets out of these users for various scam attempts.
“For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe,” the letter reads. “There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again,” the scammers wrote.
The detailed-oriented Cryptoverse hasn’t failed to notice the awkward and repetitious syntax, as well as poor grammar, neither of which are staples of a professional company within their communications – but one does need to keep in mind that many users are also not native English speakers.
“Why would a CEO use the word ‘kinda’? The horrible grammar alone gives it away,” commented one Redditor who goes by the name of RFV1985.
Ledger’s user received the hardware in packaging that was at least somewhat more convincing than the letter’s contents, as indicated by the posted pictures.
The manual that came with the device encourages users to plug in the fake device to their PC, open a folder, run the featured app, and then launch the recovery phrase to import their existing wallet to the new device. Once they do this, it is most likely the scammers take over control of the real wallet and are enabled to steal the cryptocurrency it contains.
“Do not connect the device to your computer and never share your 24 [seed] words,” Ledger warned.
If you receive key management hardware in the mail that you weren’t expecting, don’t plug it into ANYTHING.
— Jameson Lopp (@lopp)