Beware Fake Ledger Wallets on Chinese Marketplaces Stealing Crypto Seeds and PINs
Key Takeaways A sophisticated supply chain attack is targeting cryptocurrency users with counterfeit Ledger hardware wallets. The fake devices, sold on Chinese marketplaces, steal PINs and seed...
Key Takeaways
- A sophisticated supply chain attack is targeting cryptocurrency users with counterfeit Ledger hardware wallets.
- The fake devices, sold on Chinese marketplaces, steal PINs and seed phrases by replacing authentic secure elements with generic microcontrollers.
- The scam also employs trojanized Ledger Live software distributed via phishing sites and various app platforms, including Apple TestFlight.
- Ledger’s legitimate “Genuine Check” can detect these fakes, but only when using the official Ledger Live application downloaded from
ledger.com.
A complex, large-scale supply chain attack targeting cryptocurrency enthusiasts has been uncovered, involving highly convincing counterfeit Ledger hardware wallets. A Brazilian cybersecurity researcher, identified on Reddit as u/Past_Computer2901, exposed the elaborate scheme, which integrates tampered hardware, malicious software, and cross-platform malware distribution into a unified phishing operation.
Table Of Content
The Deceptive Hardware
The researcher acquired one of these counterfeit devices from a Chinese marketplace at a price comparable to an official Ledger store. The packaging and product listings meticulously mimicked genuine Ledger products, making initial identification difficult. However, suspicion arose when the device failed Ledger’s integrated “Genuine Check” upon connection to a legitimate installation of Ledger Live. This prompted a detailed physical examination of the device.
The internal analysis revealed the extent of the deception. The authentic secure element chip, crucial for hardware wallet security, had been replaced with an ESP32-S3 microcontroller, a standard IoT component manufactured by Espressif Systems in Shanghai. This chip has no legitimate function within a secure hardware wallet. To conceal its identity, the chip’s markings had been physically removed, and the device contained a WiFi/Bluetooth antenna, a feature absent in genuine Ledger Nano S Plus units.
During its initial boot sequence, the compromised chip temporarily spoofed itself as a legitimate Ledger product. However, once the boot process completed, it exposed its true origin as an Espressif Systems component. A subsequent firmware dump confirmed the most critical vulnerability: every PIN entered and seed phrase generated on the device was stored in plaintext and immediately transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com.
The fake firmware was branded “Nano S+ V2.1,” a version that does not exist in Ledger’s official firmware releases, designed to create a false sense of authenticity. This sophisticated operation was engineered to compromise wallets across approximately 20 different blockchain networks simultaneously.
The Malicious Software Ecosystem
Beyond the tampered hardware, the scam extended to a comprehensive software component. The counterfeit device included a QR code in its packaging that, instead of directing users to ledger.com, led them to a cloned phishing website. From this site, victims were instructed to download a trojanized version of the Ledger Live application.
This malicious application featured a hardcoded “Genuine Check” that invariably reported a successful authentication, ensuring that unsuspecting first-time cryptocurrency users would receive no warning about their compromised device. The fake app, which lacked proper digital signing, silently exfiltrated wallet data the moment it was used. This malicious campaign has already resulted in confirmed financial losses exceeding $9.5 million across more than 50 victims from the fake app component alone.
The scope of this operation is extensive, with threat actors deploying malware across various platforms, including Android, Windows, macOS, and iOS. Notably, the iOS variant was distributed through Apple’s TestFlight program, allowing it to circumvent standard App Store review processes. Infrastructure analysis revealed three C2 servers, a cloned website, and a QR code redirect chain, all registered under a shell company based in Shanghai.
It is important to note that Ledger’s official cryptographic “Genuine Check” is effective at detecting these counterfeit devices, but only when used with the authentic Ledger Live application downloaded directly from ledger.com. The scam’s success relies entirely on preventing victims from interacting with the legitimate Ledger ecosystem. The researcher has submitted a detailed technical report to Ledger’s security team, and further analysis is anticipated following their review.
What You Should Do
- Purchase Ledger devices exclusively from Ledger’s official website or verified authorized resellers. Avoid third-party Chinese marketplaces or auction sites.
- Download Ledger Live software solely from ledger.com. Never use QR codes found inside product packaging to obtain software.
- Always perform the “Genuine Check” immediately upon first connecting any new hardware wallet.
- Be wary of any firmware version not listed on Ledger’s official changelog; treat it as a critical red flag.
- Report any suspicious devices or activities to Ledger’s security team at [email protected].
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.