A recent discovery by a Brazilian cybersecurity expert has uncovered a widespread supply chain scam involving fake Ledger Nano S Plus hardware wallets. These counterfeit devices, available on Chinese marketplaces, have been designed to covertly siphon cryptocurrency from about 20 different blockchains.
Details of the Sophisticated Scam
The findings, shared on Reddit by user u/Past_Computer2901, have shocked the crypto security industry, revealing a meticulously orchestrated scheme. This operation merges tampered hardware, compromised software, and cross-platform malware into a single phishing strategy.
The researcher purchased the counterfeit wallet at a price similar to the official Ledger store, with packaging and product descriptions appearing genuine. Alarm bells rang when the device failed Ledger’s Genuine Check after being connected to a legitimate Ledger Live installation, leading to a complete physical disassembly.
Inside the Counterfeit Device
Upon inspection, the deception was evident. The original secure element chip had been swapped with an ESP32-S3 microcontroller from Espressif Systems, a component unsuitable for hardware security purposes. Furthermore, the chip markings were erased to prevent identification, and the device included a WiFi/Bluetooth antenna not found in authentic Ledger units.
During boot, the device initially mimicked a genuine Ledger product but later revealed its true identity as an Espressif Systems chip. A full firmware dump showed that every entered PIN and generated seed phrase was stored in plaintext and sent to attacker-controlled servers.
Wider Implications and Protective Measures
The fraudulent firmware was labeled as “Nano S+ V2.1,” a non-existent version in Ledger’s official firmware, misleading users to believe in its legitimacy. The operation targeted wallets across various blockchain networks simultaneously, utilizing a QR code to direct users to a phishing site for a trojanized Ledger Live app.
This fake app, equipped with a hardcoded success in its Genuine Check, tricked new crypto users into thinking their device was secure. The app also extracted wallet data without user knowledge. The threat extended to malware deployment across Android, Windows, macOS, and iOS, with the iOS variant bypassing App Store reviews via Apple’s TestFlight program.
To safeguard against such scams, users are advised to purchase from Ledger’s official website or verified resellers, and download Ledger Live exclusively from ledger.com. Running the Genuine Check upon first use and reporting any suspicious devices are crucial steps.
This incident stands as one of the most intricate hardware wallet supply chain attacks recorded, with financial damages from the fraudulent app alone exceeding $9.5 million from over 50 victims.
Stay informed by following us on Google News, LinkedIn, and X for daily cybersecurity updates. Share your stories with us for broader visibility.
