LedgerHelp SCAM!

[Lucius]

Someone is pretending as LedgerHelp on Reddit and posting link to fake tool for seed checking, and we all know that seed words should be only entered in Ledger device or in some other (trusted) hardware wallet. In case that you lost or damaged your hardware wallet and you need to access your coins, there is option to use some other wallets (Electrum), or to download Ian Coleman's Recovery Tool and use it offline on clean device to recover private keys from seed.

Do not trust any link posted here, on Reddit, Telegram, Twitter or any social media - use only official site and check every link.

https://www.reddit.com/r/ledgerwallet/comments/cf5gfe/ledgerhelp_scam_attempt_everyone_be_careful_never/

[bitmover]

Someone is pretending as LedgerHelp on Reddit and posting link to fake tool for seed checking, and we all know that seed words should be only entered in Ledger device or in some other (trusted) hardware wallet.

This. Pasting or writing your seed anywhere but in the ledger device or in a piece of paper defeats the whole purpose of a hardware wallet. The idea is to keep your 24 seed always offline, away from any online environment

This scam attempt is very dangerous as it really looks like to be legit (from www.ledger.com website).
It is sad to see scammers attempting to exploit user's lack of knowledge...

[o_e_l_e_o]

It would seem the account in question has been banned, and the fake link they were sharing has also been taken down. It was just a throwaway account and web hosting though, so I have little doubt the same scam will show up again. There's at least one post on reddit of someone having fallen for this scam. Sounds like the user in question was storing his seed electronically and just "pasted" it in to the fake website.

Your seed phrase should always be on paper only. If you have to enter your seed phrase in to any electronic device for any reason, the safest course of action is to immediately consider it compromised and transfer all your funds out to a new wallet.

[Pmalek]

Thanks for the warning!

The only official reddit site for Ledger as shown on their web site is: https://www.reddit.com/r/ledgerwallet/
No other site should be accessed or trusted, especially one that is asking for your seed words, pins or other private information.

Always contact support when in doubt before making any decisions that might lead to the loss of funds.
https://support.ledger.com/hc/en-us

[bL4nkcode]

I hope there's no one who got fooled and stolen their funds. This is really dangerous scam attempt, tho I'm sure if the link is hovered the phishing link will be seen. That's why every HW users must know the basics and fundamentals on how and what software(s) or websites HW users should use to protect their seed and assets.

[Lucius]

It seems that this attack does have success, at least with some very naive users who click on this link and enter their seed in that hacker tool. I am not sure what Ledger or anyone else shoud do to prevent people to do such stupid things, maybe Ledger should put notice in every package "Do not enter your seed words anywhere except in your hardware wallet", and all that on white paper with big red letters.

I cannot believe this happened but I was trying to troubleshoot finding my coins on Electrum wallet through my Ledger and I followed the help from /u/LedgerHelp and in a moment of stupidity pasted my ledger passphrase to this site (link removed) and it exposed my private key and I have lost pretty much everything.

[o_e_l_e_o]

Maybe Ledger should put notice in every package "Do not enter your seed words anywhere except in your hardware wallet", and all that on white paper with big red letters.

Both the manual which is shipped with Ledger devices (available here to view, page 22: https://support.ledger.com/hc/en-us/articles/360007061974-User-manual), and the support pages on their website (https://support.ledger.com/hc/en-us/articles/360005514233), state pretty clearly to never share your phrase, and to never enter or store your phrase on any electronic device. Additionally, the pieces of card which come with Ledger devices for users to use to write down their recovery phrase say "Confidential - Do not disclose", or something similar (there are different versions) on one side or at the top.

If they give crystal clear instructions, and the user either doesn't read them or doesn't follow them, then I don't know how much you can really expect Ledger to do about things like this.

[hugeblack]

Perhaps the trick that used to show the link as legitimate is why beginners get scammed.
Next time, report such links. Prevention is better than cure:

 - Bitcointalk ----> Report to moderator  ----> Phishing Page/URL
 - Report Phishing Page -----> https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en
 - reddit.com ----> https://www.reddithelp.com/en/submit-request/breaking-content-policy
 - Twitter ----> https://help.twitter.com/en/rules-and-policies/twitter-report-violation

Is there any Bitcointalk group to report phishing links outside this forum?

[Pmalek]

Additionally, the pieces of card which come with Ledger devices for users to use to write down their recovery phrase say "Confidential - Do not disclose", or something similar (there are different versions) on one side or at the top.

It says: Confidential document. Store this document in a safe place!
I bet many people don't even read this. And a bunch of those who did read it understand it as take a picture of your seed and keep it in your phone or desktop computer.

So many things can be avoided by following simple instructions.