It appears scammers have come up with a new Ledger hardware scam by sending fake devices to customers who’s data was exposed in the December 2020 data leak that breeched the personal details of over 270,000 customers onto the RaidForum group frequented by hackers.
In a post which appeared on Reddit, one users shared the scam after receiving what appeared to be a Ledger Nano X in the mail, without asking for it. Although the device came in official looking, shrink-wrapped packaging liveried with official Ledger logo’s, it appears the scammers were let down by poor grammar.
The accompanying letter explaining why the user had been sent the device was riddled with spelling errors and poor grammar, and made the user suspicious, in that it somewhat resembled the Nigerian Prince scam.
For this reason for security purposes, we have sent you a new device you must switch to a new device to stay safe. There is a manual inside your new box you can read that to learn how to set up your new device……For this reason, we have changed our device structure. We now guarantee that this kinda breach will never happen again.Fake letter accompanying fake devices in Ledger hardware scam
The fake instructions asked the user to connect the device to their computer and open the application which appeared in the pop up box, which then requests the recovery (seed) phrase to import their wallet to the new device. Needless to say, this likely uses the unsuspecting victims own internet to send this seed key information to the hackers, who then, assumably, would likely drain their wallet of funds.
After their suspicions were raised, the user opened up the device and compared it to a real Nano device, and shared the images online. One security expert told BleepingComputer that it appeared a flash drive had been wired to the USB connector, and panned the soldering as “novice”.
The company has said it is aware of the Ledger hardware scam, and posted warnings back in may on their dedicated phishing page on their website. It also reminds customers that after the data breech in late 2020 that it has seen a number of phishing scams, including malicious software ‘upgrades’ on fake sites and SMS messages being sent to customers in an attempt to steal their funds.
TL:DR – If you receive a Ledger device in the post that you haven’t asked for, don’t use it. Period.