How criminals are targeting Ledger users

With over 8m Ledger devices sold since the company founded in 2014 (just shortly after Trezor pioneered crypto cold storage hardware devices) it’s no wonder that criminals are looking to try to extract funds from those who are holding their cryptoassets on these devices.

There’s been a spate of physical kidnappings and IRL attacks on crypto holders to try to access their funds — some of which will have been held on physical devices — but the criminals are also attacking via digital methods too.

Malware

Moonlock Labs has been tracking 4 different malware campaigns which target Ledger Live users. They aim to get users to accidentally download a malicious version of the Ledger Live app which can then show a fake “critical error” message and the alleged fix is for the user to enter their seed phrase, or to install a Ledger Live update which is actually a malicious payload. Alas these actions won’t fix any critical error or give you some exciting new features, instead doing this would be a critical mistake and the user would find that any funds in that account are drained sharpish to the attacker!

https://x.com/moonlock_lab/status/1902381331490738345

A user on Reddit reported another malware-linked Ledger Live technique where they tried to fomo-induce him to connect and update his Ledger device. Luckily the spelling mistake and un-Ledger-like tone of voice prompted him to run anti-virus software on his device and he discovered the malware before he connected his hardware device!

Criminals will look to push the malicious app versions via download sites and app stores or can include it as a payload hidden within other packages and user actions. In some of the malware campaigns that Moonlock explored, the malicious versions even uninstalled the real versions so they showed as the ‘only’ version on your device.

Phishing Website

However it’s not just malicious versions of the app that Ledger users need to be on guard for, as with every corner of the crypto industry, scammers look to put up phishing sites to trick users into entering sensitive details. These could be domain spoofing on websites with close matches to the real website, or set up to purport to be offshoots of the real website e.g security sections or verification pages.

Phishing Emails, Letters and Calls

It wasn’t long ago that I had a very convincing call from a crypto scammer and a friend (who’s not involved in the crypto space at all) has had several scam Coinbase texts in the last few months — so phishing calls and texts are definitely on the rise.

Many look to induce panic by claiming that a withdrawal has been made and push you to contact support if it wasn’t you. No withdrawal is made and this is not the real support team. It’s a hacker looking to hook you in and then steal your funds by tricking you out of your account credentials or seed phrase.

One Ledger example to a US user recently was “Your Ledger Recover application has been completed successfully. REF: R771 if this was NOT you contact support on +18053318124 immediately.”

“First guy from the support team to explain that my Ledger had be reset and my personal details in the hands of hackers. The second phone call was from the security guy who then attempted to get me to enter a website. He wanted me to verify an email address or something. They had all of my personal information like name, email address and phone. To sum up the conversation it was “your ledger account has been breached, transfer the funds out to another secure wallet in the next 4 to 6 hours or the account will be brute forced and drained by the unknown hackers.”

And always keep an eye out for scammers looking to use similar looking email domains:

But one angle you might be surprised at is scammers sending actual letters — piece of paper through the post letters! Very analog. These are intended to have a more legitimate air about them, after all it’s typically council tax, electricity bills and more official things that come through the post — plus a few takeaway leaflets and promos. The letters are aiming to direct users to phishing websites or download a malicious app. Scammers may be sending these out to addresses on data leak lists (such as from the 2020 Ledger data breach which exposed over 270,000 customer addresses) or blanket targeting homes — and as long as you don’t follow the instructions you can rest easy knowing that they wasted the postage and didn’t get any of your assets!

NFTs

It’s not 2022 anymore but NFTs are still a bit of a thing, and scammers are still using them to try and steal your Ledger held assets! They will send the NFT to your account and include metadata that you have won some sort of prize or can claim some rewards. If you click on the accompanying link then it could be a phishing site that is pushing you to connect your wallet or it may be a Ledger Live specific phishing page. One user recently reported that they lost all their 2018 BTC and ETH holdings from just such an attack: “… In the end I got really tired and started opening the scan links, where I entered my seed phrase to “connect” to ledger. I immediately realised, what I f*up. I couldn’t even stop the transaction’s since they were confirmed in 10minutes. All gone.”

One example NFT that a Ledger user received was directing them to this website:

A classic connect-your-wallet-and-lose-your-assets phishing website!

Socials

And of course, always watch out for customer support impersonation scammers across Twitter and beyond — they lurk in the comments of any users who expressing issues with their ledger device ready to lure them into a DM where they will inevitably claim that the solution to the issue is by providing your seed phrase! 🤦

Fake Devices

One I have been warning about for years is the risk of using a tampered with Ledger device, this is especially relevant for anyone buying a second hand hardware device or from an unauthorised store — even Amazon!

An example of this risk is the fake devices which were sent out to real Ledger customers following the 2020 Ledger data leak — with letters claiming they were ‘replacement devices’ from the company itself and advising users to transfer their funds onto these ‘safe’ devices.

However they weren’t safe. They had been tampered with to include an embedded flashdrive on the back and any users who put funds on them would soon find they weren’t there!

Another cautionary tale from the BitcoinTalk forum is of a user who bought a second hand ledger device from eBay and when it arrived it had some unofficial looking set up instructions which advised messaging a phone number to ‘active’ the device and after the user did they received the seed phrase to input into the device. Of course if you’re not the only person with access to that, then you’re not the only person who can move those funds so this was a scam!

Stay safe out there if you’re storing your funds on a Ledger device.

Originally published at https://www.linkedin.com.