Even if you buy a hardware device from an authorised reseller, you need to check

[DdmrDdmr]

Now that we’re on the matter of Ledger issues as of late (this is also applicable to other hardware wallets), while trying to find a screenshot of the fake Ledger Live related to the latest phishing attempt, which presumably asks you to reset your pin, and requires your 24 mnemonic to do so (see Warning - Ledger phishing emails!), I came across a relatively recent thread on Reddit.

On that thread, a person explained how his friend (allegedly) bought a Ledger Nano S at Amazon UK (sold by Ledger, fulfilled by Amazon), only to find that the device had come with a default pin, and a prefilled 24 word mnemonic. The friend, unaware that this is not how it should be, moved some BTC onto one of the device’s addresses, only to see it vanish a week later.  

Likely, someone bought the device, initialized it, printed a fake prefilled 24 mnemonic card, and returned it to Amazon. The person at Amazon who received the returned package had no clue that the device had been tampered with, and likely place it back for resell on the shelf (note: sensitive material such as this should always be sent back to Ledger in my opinion). It could also have been a rouge employee.

The moral of the tale: even if you purchase the device through an authorised reseller, you need to make sure the device has not been tampered with (as is the case, allegedly).

Corollary to the moral of the tale: Resellers should install a protocol that sends these returned devices back to the manufacturer, always (and, in turn, the manufacturer should review the product properly before even considering placing it back for sale).

See: https://www.reddit.com/r/ledgerwallet/comments/je8o4m/friend_got_btclink_stolen_on_ledger_wallet/

[1715483834]

1715483834

[FullNode]

You buy a hardware device to store your coins with greater security and lose them, demoralizing
It is better to buy direct from the manufacturer even if the price is higher
Thanks for sharing

[Charles-Tim]

No comment again, the best to do by resellers (amazon) is to take back the hardware wallet only to the company they bought it from which is ledger company in this case. Normally, if truly this is the case, the victim supposed to file a law suit against Amazon and demand for the coin lost, so that it will be a lesson for Amazon. Normally, they do not have to think about this two times to return the hardware wallet for any malicious activity, because humans are wicked and malacious in nature.

But, let us check another way around, people are so malacious, it is possible returning the hardware wallet after such event could be the norm of Amazon (although, I am only saying) but one of the workers in Amazon may know about this malacious events, and be the one that took it back from the malicious person or even replace the good one to malacious one in order to resell/sell it to another person, so that the person can be a victim. With this, I think we should not trust any other party than the company selling the hardware wallet. The safest way will be to buy directly from hardware companies like ledger nano, trezor and the likes.

[gentlemand]

Corollary to the moral of the tale: Resellers should install a protocol that sends these returned devices back to the manufacturer, always (and, in turn, the manufacturer should review the product properly before even considering placing it back for sale).

To Amazon and every retailer other than the manufacturer it's just another bit of tech that flies out the door. They should be doing things like this, they certainly won't as it's not their problem.

Mixing stuff like this with standard retail policies is a dangerous combination but I can't see them ever taking special measures.

[NeuroticFish]

only to find that the device had come with a default pin, and a prefilled 24 word mnemonic.

Such case should be returned and reported to Ledger imho (of course poor newbie didn't know, unfortunately). They should be aware about such cases and take the responsibility (!) if they are the Seller at Amazon.
Without such actions (and of course, writing them all over media) nothing would change. I think that Ledger has its part of responsibility in this.

The friend, unaware that this is not how it should be, moved some BTC onto one of the device’s addresses, only to see it vanish a week later.  

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.


Sad story. I think that this kind of devices should not be returnable. Period. (Although I the idea that an employee actually did this also makes plenty of sense and I have no solution for that.)

[o_e_l_e_o]

I recently read a post on Reddit which is relevant here. I cannot vouch for how accurate or not it is, but it certainly makes for interesting reading: YSK that Amazon has a serious problem with counterfeit products, and it's all because of something called "commingled inventory."

Essentially it goes like this:

Ledger send Amazon a bunch of Nano S wallets to be sold from their "Official Amazon Web Store", and so Amazon records that inventory and stick them on a shelf labeled "Nano S wallets".
Some third party reseller also sends Amazon a bunch of Nano S wallets to sold from their "Random Third Party" page, and Amazon records that inventory and sticks them on the same shelf labeled "Nano S wallets".
Whenever someone buys a Nano S wallet, regardless of whether through Ledger or through some random third party, if the order is "Fulfilled by Amazon" then they simply get a random wallet picked from that shelf, which could have come directly from Ledger, or could have passed through any number of third parties.

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.

Why? If the wallet has been loaded, then the thief/attacker knows that the customer is unsuspecting. Makes sense to wait a while to see if they deposit any more funds before stealing the initial deposit.

[The Cryptovator]

The problem will happen if anyone has less knowledge about bitcoin technical knowledge. I bought a Ledger wallet from Amazon as well. It was on solid packed when arrived at me. Before open this, I search as much as possible how Ledger works. I set my own password and mnemonic words, I don't have doubts about that, of course, the seller was Ledger official.

If someone wondering to enter something new, then he should research as much as possible to learn. So when anyone learns then there would be doubts when received a Ledger with a pre-generated password and seed. It's always suggested if you have doubts then reset your device by entering the wrong password on the device. So there will be new mnemonic words and passwords as well.

[NeuroticFish]

"commingled inventory."

Wow. I didn't think of this. If this indeed happens then it's indeed a very big problem at Amazon, not only with Ledger products...

One week is unexpectedly long time. I'd expect such theft happen at or right after the first confirmation.

Why? If the wallet has been loaded, then the thief/attacker knows that the customer is unsuspecting. Makes sense to wait a while to see if they deposit any more funds before stealing the initial deposit.

I was expecting the thieves have scripts attached to the wallets they are watching and as soon as funds are in, they get them without delay.
But maybe I just don't have thief material (no biggie)

[gentlemand]

Wow. I didn't think of this. If this indeed happens then it's indeed a very big problem at Amazon, not only with Ledger products...

The thing is almost all of the time this doesn't matter. If you get a junk micro SD card then you simply send it back. Amazon aren't going to change squat to protect a few people stung by this.

[jackg]

Is the person mentioned in the op still using a ledger or that ledger by amazon?

If what you've thought of is an attack vector, there's A LOT worse they could do. If this is the case with a lot of resellers ONLY buy from the official website. Don't trust anyone, amazon&ebay won't care they might not even use the verified seller as it's probably easy to fake anyway.

[aioc]

This is a big warning to anyone who wants to purchase not only to Amazon but to resellers and first owner of the device, imagine if the guy has a huge amount of coins and he put all of it there, I have read getting scam by exchange but this is the first time getting scam by a ledger, we should be properly educated and configure it correctly before storing our coins to the ledger, I thin even if it coming from the manufacturer you never know.

[o_e_l_e_o]

I thin even if it coming from the manufacturer you never know.

Every one of these "hacks" has been due to a device being pre-initialized and the user in question not following the basic set up guide, which would protect them against such an attack. There have been no known cases of coins being lost due to a Ledger device being physically tampered with, having the hardware altered, or having custom firmware installed on it. Provided you follow the basic set up guide Ledger provide (https://support.ledger.com/hc/en-us/articles/360002481534), then by setting it up you both ensure no one has previous initialized it and you also connect it to Ledger Live to verify it is a genuine device.

Having said all that, if you are genuinely concerned regarding supply chain attacks, then hardware wallets are probably not for you. In such a case, I would suggest to instead generate your own entropy using coin flips, rolling dice, or something similar, and use that to generate a wallet using open source code you have reviewed yourself on permanently airgapped device.

[Fortify]

That is a pretty devious way to take someone elses Bitcoin and really stresses the importance of understanding what you are buying. Especially with new technology that is effectively acting like a bank account, it seems very foolish to send it to a wallet that was provided to you. Knowing how weak the return policies are with Amazon, it seems like it would be a common but risky tactic for the returner. Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

[o_e_l_e_o]

Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

Very easily.

With either a Nano S or a Nano X, either navigate to Settings -> Security -> Reset all, or simply enter an incorrect PIN three times in a row after turning on the device. This will reset to factory settings, wiping the seed phrase and private key that the attacker already set up and leaving a blank device, which you can then set up as you would a brand new device. See here for more info: https://support.ledger.com/hc/en-us/articles/360017582434-Reset-to-factory-settings

Once you've done that, you should then follow the link I shared above to verify the device is genuine before proceeding to the next page of their support to set up as a new device.

[jossiel]

Can these ledgers even be reset, or are you stuck if the original owner already set everything up?

As said by o_e_l_e_o.

In my experience, I forgot my PIN 3 times and after that, it asked me to enter the recovery phrases that I have saved. Fortunately, I have them of course. I just forgot the PIN of the device.

I barely remember if that's the exact process that I went through when I've forgotten the pin.

If I'll purchase a new ledger wallet in the future, I'll just go directly to Ledger's website and order.

[Bitsaurus]

Amazon's inventory is not pristine. They routiney mix 3rd party sellers with their own manufacturer sourced stuff. Some reviewers are idiots because they think just because they bought the product from Amazon that it went through the proper channels and didn't pay attention the Buy Box when clicking add to cart. I have received counterfeit items from flash memory to batteries that was sold directly by Amazon. I can only assume the inventory was mixed by accident, but at this point I doubt Amazon cares as it's just riding on it's bulk.

While it's not guaranteed every 3rd party hardware wallet will contain malicious code, you can be certain there's definitely a motive to have somebody want to steal your passphrase. If there's a way, there's a will.

[Lucius]

In my experience, I forgot my PIN 3 times and after that, it asked me to enter the recovery phrases that I have saved. Fortunately, I have them of course. I just forgot the PIN of the device.

This is just proof that such things should not be kept in mind, because people tend to forget such combinations, especially if it is an 8-digit PIN that is not used often. In your case, it's good that you had the right seed on hand, but what if it was a PIN that was the only way to access the wallet?


With all possible precautions, what I would recommend to anyone who buys a new HW is not to send all the coins he has to that device instantly, but to send a small part and leave them like that for a few days. In case something is wrong, it is better to lose 5% or something similar than everything you have.

[erikoy]

Probably this is another way of doing scam. There are many scammers in cryptocurrency because they take advantage on it. Since this is not regulated and protection is not quite high like no authorities has been tasked to monitor the events and happenings of cryptocurrency because we wanted as much as possible without the interference of the government that could also defeat of its purpose being a decentralized. Anyway, I do believe that one day cryptocurrency will go strong and that include the strengthening of security system.

[yazher]

If this is the case, I would not buy some hard wallet from them. I rather buy from its original sources from the original store.

Anyway, If we buy a hard wallet from its original source do we have to do those steps you told us or no need to?

and also, how can we know the device if it has tampered with?

[Kong Hey Pakboy]

Probably this is another way of doing scam. There are many scammers in cryptocurrency because they take advantage on it. Since this is not regulated and protection is not quite high like no authorities has been tasked to monitor the events and happenings of cryptocurrency because we wanted as much as possible without the interference of the government that could also defeat of its purpose being a decentralized. Anyway, I do believe that one day cryptocurrency will go strong and that include the strengthening of security system.

Many people wish that someday security could not be a problem, so we would not bother or think about our protecting our sensitive data and funds stored in our wallets. But I think it is impossible because no technology is safe from hackers and scammers capable of stealing someone's data and funds. It is why we should always be careful about the things we buy online; even they are an authorized reseller of hardware devices.