A cybersecurity researcher discovered sophisticated counterfeit Ledger hardware wallets designed to steal cryptocurrency. A fake device purchased from a marketplace listing contained a different chip, WiFi capabilities, and firmware that stores PINs and seed phrases in plaintext. The scam involves a cloned website and malicious apps that siphon user data to attacker-controlled servers, representing a coordinated phishing operation, not a flaw in genuine Ledger security.
A cybersecurity researcher purchased a supposed Ledger hardware wallet from a marketplace listing priced like the official product. The counterfeit device failed the Genuine Check in Ledger Live, prompting an internal investigation.
The researcher found a different chip inside, identified as an ESP32-S3 with a WiFi antenna not present in real models. The firmware stored user PINs and seed phrases in unencrypted plaintext and contained hardcoded links to external servers.
The attack relies on victims scanning a QR code from the packaging, which leads to a cloned ledger.com website. Users are then directed to download a fake Ledger Live application for their device.
This malicious app shows a fake Genuine Check that always passes while secretly sending seed phrases to attackers. The researcher stated the decompiled Android app also requested location permissions and monitored wallet balances.
The researcher confirmed this is not a security flaw in genuine Ledger devices, which passed their checks. This operation is a phishing scheme combining counterfeit hardware, trojanized apps, and command-and-control infrastructure.
A full technical report analyzing Windows, macOS, and iOS malware variants is being prepared. Similar fake devices have been reported previously, including one containing a hidden flash drive for malware delivery.
