The results of Ledger’s main data breach proceed to be felt virtually a yr later. One contributor to the r/Ledgerwallet discussion board on Reddit, writing beneath the tag u/jjrand and self-identified as one of these affected by the breach, has posted pictures of what seems to be a fake Ledger Nano X pockets obtained within the mail.
Wrapped in seemingly genuine packaging, the machine nonetheless included a number of tell-tale indicators that sparked the contributor’s suspicion. Most jarringly, the package deal got here along with a poorly written letter claiming to be signed by Ledger CEO Pascal Gauthier, telling its recipient:
“For security purposes we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device. For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.”Field containing allegedly fraudulent Ledger machine, obtained by reddit consumer u/jjrand. Supply: RedditRip-off letter purportedly written and signed by Ledger CEO Pascal Gauthier. Supply: Reddit
Except for the letter, u/jjrand additionally obtained a fake handbook, enclosing directions concerning how to use the machine and, crucially, asking that the consumer enter their personal Ledger restoration phrase to join their cryptocurrency pockets to the brand new hardware. On the premise of additional pictures displaying the machine’s circuit board uploaded to Reddit, safety researcher Mike Grover advised BleepingComputer that the fake machine was tampered with:
“This seems to be a simply flash drive strapped on to the Ledger with the purpose to be for some sort of malware delivery. All of the components are on the other side, so I can’t confirm if it is JUST a storage device, but […] judging by the very novice soldering work, it’s probably just an off the shelf mini flash drive removed from its casing.”
Grover highlighted a piece of the again of the machine, displaying the flash drive implant and noting that “those 4 wires piggyback the same connections for the USB port of the Ledger.”
On the premise of Grover and BleepingComputer’s evaluation, it seems that the heist is designed to intercept the consumer’s entered restoration phrase so as to reroute the small print to a tool managed by the scammers, which they’ll then use to steal the related cryptocurrency holdings.
Associated: Ledger data leak: A ‘simple mistake’ uncovered 270K crypto pockets patrons
In a web based submit dated Could 10 however not cited by u/jjrand, Ledger had already warned clients towards the fake letter and machine, stating that:
“The fake user guide in the Nano’s box asks the user to connect the device to a computer. To initialize the device, the user is then asked to enter his 24 words in a fake Ledger Live application. This is a scam. Do not connect the device to your computer and never share your 24 words. Ledger will never ask you to share your 24-word recovery phrase.”
Whereas the warning is included as half of Ledger’s on-line listing of phishing campaigns of which the corporate is conscious, it’s unclear whether or not the corporate has reached out to customers immediately, particularly these whose leaked particulars could go away them extra vulnerable to falling for the ruse.
Cointelegraph has reached out to Ledger for remark and can replace this text with additional data concerning this concern.
As beforehand reported, different penalties of the data leak have included Ledger customers receiving emails from extortionists threatening bodily violence or different legal assaults. The unique data breach had occurred in June and July 2020 and included 1,075,382 e-mail addresses from customers subscribed to the Ledger publication. It notably additionally concerned the leak of private data (together with house addresses) related to 272,853 hardware pockets orders.