Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
ACSC Warns of Large-Scale CMS Exploitation Campaign Deploys Webshells on Vulnerable Websites
July 9, 2026
GodDamn Ransomware Rebrands From Beast and Uses PoisonX Driver to Disable Defenses
July 9, 2026
RedHook Android RAT Abuses ADB Wireless Debugging to Gain Shell-Level Access
July 9, 2026
Home/CyberSecurity News/Beware Fake Ledger Wallets on Chinese Marketplaces Stealing Crypto Seeds and PINs
CyberSecurity News

Beware Fake Ledger Wallets on Chinese Marketplaces Stealing Crypto Seeds and PINs

Key Takeaways A sophisticated supply chain attack is targeting cryptocurrency users with counterfeit Ledger hardware wallets. The fake devices, sold on Chinese marketplaces, steal PINs and seed...

Jennifer sherman
Jennifer sherman
April 17, 2026 3 Min Read
45 0

Key Takeaways

  • A sophisticated supply chain attack is targeting cryptocurrency users with counterfeit Ledger hardware wallets.
  • The fake devices, sold on Chinese marketplaces, steal PINs and seed phrases by replacing authentic secure elements with generic microcontrollers.
  • The scam also employs trojanized Ledger Live software distributed via phishing sites and various app platforms, including Apple TestFlight.
  • Ledger’s legitimate “Genuine Check” can detect these fakes, but only when using the official Ledger Live application downloaded from ledger.com.

A complex, large-scale supply chain attack targeting cryptocurrency enthusiasts has been uncovered, involving highly convincing counterfeit Ledger hardware wallets. A Brazilian cybersecurity researcher, identified on Reddit as u/Past_Computer2901, exposed the elaborate scheme, which integrates tampered hardware, malicious software, and cross-platform malware distribution into a unified phishing operation.

Table Of Content

  • Key Takeaways
  • The Deceptive Hardware
  • The Malicious Software Ecosystem
  • What You Should Do

The Deceptive Hardware

The researcher acquired one of these counterfeit devices from a Chinese marketplace at a price comparable to an official Ledger store. The packaging and product listings meticulously mimicked genuine Ledger products, making initial identification difficult. However, suspicion arose when the device failed Ledger’s integrated “Genuine Check” upon connection to a legitimate installation of Ledger Live. This prompted a detailed physical examination of the device.

The internal analysis revealed the extent of the deception. The authentic secure element chip, crucial for hardware wallet security, had been replaced with an ESP32-S3 microcontroller, a standard IoT component manufactured by Espressif Systems in Shanghai. This chip has no legitimate function within a secure hardware wallet. To conceal its identity, the chip’s markings had been physically removed, and the device contained a WiFi/Bluetooth antenna, a feature absent in genuine Ledger Nano S Plus units.

During its initial boot sequence, the compromised chip temporarily spoofed itself as a legitimate Ledger product. However, once the boot process completed, it exposed its true origin as an Espressif Systems component. A subsequent firmware dump confirmed the most critical vulnerability: every PIN entered and seed phrase generated on the device was stored in plaintext and immediately transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com.

The fake firmware was branded “Nano S+ V2.1,” a version that does not exist in Ledger’s official firmware releases, designed to create a false sense of authenticity. This sophisticated operation was engineered to compromise wallets across approximately 20 different blockchain networks simultaneously.

The Malicious Software Ecosystem

Beyond the tampered hardware, the scam extended to a comprehensive software component. The counterfeit device included a QR code in its packaging that, instead of directing users to ledger.com, led them to a cloned phishing website. From this site, victims were instructed to download a trojanized version of the Ledger Live application.

This malicious application featured a hardcoded “Genuine Check” that invariably reported a successful authentication, ensuring that unsuspecting first-time cryptocurrency users would receive no warning about their compromised device. The fake app, which lacked proper digital signing, silently exfiltrated wallet data the moment it was used. This malicious campaign has already resulted in confirmed financial losses exceeding $9.5 million across more than 50 victims from the fake app component alone.

The scope of this operation is extensive, with threat actors deploying malware across various platforms, including Android, Windows, macOS, and iOS. Notably, the iOS variant was distributed through Apple’s TestFlight program, allowing it to circumvent standard App Store review processes. Infrastructure analysis revealed three C2 servers, a cloned website, and a QR code redirect chain, all registered under a shell company based in Shanghai.

It is important to note that Ledger’s official cryptographic “Genuine Check” is effective at detecting these counterfeit devices, but only when used with the authentic Ledger Live application downloaded directly from ledger.com. The scam’s success relies entirely on preventing victims from interacting with the legitimate Ledger ecosystem. The researcher has submitted a detailed technical report to Ledger’s security team, and further analysis is anticipated following their review.

What You Should Do

  • Purchase Ledger devices exclusively from Ledger’s official website or verified authorized resellers. Avoid third-party Chinese marketplaces or auction sites.
  • Download Ledger Live software solely from ledger.com. Never use QR codes found inside product packaging to obtain software.
  • Always perform the “Genuine Check” immediately upon first connecting any new hardware wallet.
  • Be wary of any firmware version not listed on Ledger’s official changelog; treat it as a critical red flag.
  • Report any suspicious devices or activities to Ledger’s security team at [email protected].

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Hugging Face Vulnerability CVE-2026-39987 Lets Attackers Spread Backdoors

Next Post

Fake Zoom SDK Update Delivers Sapphire Sleet Malware to macOS

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Roundcube 0-Click Vulnerability Lets Attackers Inject Stored XSS
July 9, 2026
Critical Microsoft Entra ID Flaw Lets Attackers Hijack Accounts
July 9, 2026
Critical Linux Kernel Flaw Allows Root Access via DRM Render Nodes
July 9, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us