Ledger customer data breach aftermath, a sophisticated scam

[libert19]

I don't exactly understand how this scam works, if you are well versed in tech and could explain in layman that would great.

This is the Reddit thread where user received the 'replacement': https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/



Article explaining scam but it went over my head: https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-altered-ledger-devices-to-steal-cryptocurrency/

[1713305673]

1713305673

[1713305673]

1713305673

[mk4]

1. Scammers send you a FAKE Ledger device
2. You plug it in, setup your wallet
3. You send your funds to the FAKE Ledger device
4. Hackers steal your money from the FAKE Ledger device

This is the Reddit thread where user received the 'replacement': https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/

The user didn't receive a replacement. He just received a FAKE Ledger device. Obviously not from Ledger Labs.

[Daniel91]

This is obviously a very expensive fraud attempt and I think the targets have been chosen very carefully.
It’s one thing to have a list of people who have bought a ledger and it’s quite another to know or guess who might be an interesting target from that list and who’s worth the effort.
Many people today are very careless and brag on social media about their wealth, expensive cars, travels etc.
Of course, it is not difficult to connect that public information from social networks and data from the stolen Ledger database.
People really should be more careful and protect their privacy.
In my country we had a case where a popular singer bragged about her wealth and beautiful house and as soon as she announced that she had gone on vacation, thieves broke into her house and stole everything valuable.
No one has sent me anything yet, so I don't seem to be interesting to anyone 

[DdmrDdmr]

If I understood it correctly, the resulting fake Ledger device is an original (?*) device with a flash drive implant, altering the functionality in such a way that, by inserting the ledger "replacement", it will really just act as a flash drive with a fake Ledger Live, overriding all the Ledger’s device native functionality. Essentially, they’ve nullified the Ledger from an operational point of view, and made it work as a camouflaged flash drive. If the user then follows the instructions, he’ll load the fake Ledger Live and be prompted to enter his recovery phrase (which the user may do, believing he is restoring it onto the "new" phisical device). That data is then sent to the hacker’s backend.

If we play spot the difference between the two ledger device circuit boards, there are some that do not seem to me related to the flash drive implant. Perhaps they are due to differences that are made overtime to the original circuit board (being both devices representing slightly different versions). I did not interpret the articles as stating that the circuit board was a completely fake one (i.e. created deliberately), but rather more it being manipulated to add the flash drive implant.

(*) Of course it could be a dummy cloned (look alike) circuit board, with no other funcionality than that of the implanted flash drive. I’m still not sure whether the board is original or a completely fake dummy one (despite references to the "fake device").

A relative expensive deal, but one good hit and it will cover a bunch of costs. It may though have been a very precise target they were after, and It doesn’t seen to be a scheme with multiple current reports.

[Lucius]

This is actually not the first such documented case, as there is an identical one on the Ledger site dating back to May 10th, 2021. What we can be sure of is that someone is comparing a hacked database to other publicly available data and looking for those users who have been found to have a certain amount of coins worth such an attempt at fraud.

The thing is very simple, your publicly published e-mail address that can in any way be linked to your crypto address - specifically if you are in the hacked database, and any time you have publicly published the same e-mail address on this forum - it can be associated with your publicly available coin addresses that may mark you as a target.

https://www.ledger.com/phishing-campaigns-status#phishing-campaigns

[NeuroticFish]

I don't exactly understand how this scam works

It was described in the other topic about this new scam:

Fake Instructions is asking users connect the Ledger to their computer, than import recovery phrase from their old device, and that is sent to the attackers who imports it on their own devices and steal crypto.

Most probably that either the "import tool", either some fake "firmware" would be the part that will actually send out the data to the hackers.


It's interesting that such a scam costs money - the devices, the look alike box, the shipping from France (!) - so it was not easy to send these boxes out.

[Lucius]

It's interesting that such a scam costs money - the devices, the look alike box, the shipping from France (!) - so it was not easy to send these boxes out.

If we consider how those who use a hacked database think, perhaps this scam could be characterized as the second phase of an attack of a possible three phases.

• the first phase is the easiest and completely free, it can be performed by anyone who knows how to find a database and send an email with a phishing link that can be a simple site similar to the official one that only ask for the user's seed.
• the second phase is exactly what we see now, and it still requires a little more brain and is not free - but let's take into account that those behind this were probably successful in the first phase, so funding is not a problem for them.
• the third phase is the most dangerous for attackers and users because it includes burglaries, armed robberies and possible physical attack.

Of course this is just my thinking based on some logic, any phase of an attack can happen at any time.

[pawanjain]

As others said, it's definitely a costly attempt to scam but a worthy investment to scam. If the user is someone who isn't aware of the technicalities he would simply transfer all his funds to the ledger wallet and lose all his crypto. It's good that the reddit user was aware of the hack and hence didn't get scammed.

Now that he has a free ledger wallet is it possible to remove the old firmware and flash a new firmware and get new seeds ?
If so the user could still use the free ledger wallet 

[khaled0111]

Am really curious to know how many users received this fake device and how many of them fell for it!
The scammers must either be the same persons who hacked Ledger's ecommerce database or they bought it from darknet. The first possibility is more likely because it is clear from the effort they put into this scam that they possess the necessary capabilities to hack Ledger's website.
The Ledger Donjon, if they get one of those fake devices or at least the malware it contains, they can easilly determine the IP address(es) of the server(s) to which the malware connects. This can, although unlikely, help them to identify the hackers, or at least to shut down the server(s) to avoid more victims.

[The Cryptovator]

These are very possible reasons explained by @mk4. This is just the outcome of a data leak from Ledger. It's pretty obvious scammers just send a fake Ledger or device with pre-generated seeds. But the higher chance is device was fake. Whatever seed stored there is just fake IMO. No doubts it's a costly scam attempt at all, I think scammers sent that fake device to many. So someone would fall into that trap. For me, I won't use any device that I hadn't order from the official store of Ledger. Everyone should avoid such scam attempts.

[NeuroticFish]

If we consider how those who use a hacked database think
~snip~

• the third phase is the most dangerous for attackers and users because it includes burglaries, armed robberies and possible physical attack.

I don't know how those people think, but I surely hope that you're wrong about this third phase.

One thing is for sure: not all who bough Ledger wallets actually have Bitcoins; clearly some do have, but far from all. This means that although this phase 2 may pay off, the phase 3, which is much more costly (both as logistics and risk) may not worth it. I surely hope so. However, all this is way out of hand, I don't understand how Ledger and their shop provider are still allowed in e-commerce business.

[Fortify]

1. Scammers send you a FAKE Ledger device
2. You plug it in, setup your wallet
3. You send your funds to the FAKE Ledger device
4. Hackers steal your money from the FAKE Ledger device

This is the Reddit thread where user received the 'replacement': https://www.reddit.com/r/ledgerwallet/comments/o154gz/package_from_ledger_is_this_legit/

The user didn't receive a replacement. He just received a FAKE Ledger device. Obviously not from Ledger Labs.

That has got to be the most sophisticated scam attempt in the history of Bitcoin so far. They have gone to extreme lengths to produce copies of the original product, even down to the level of high quality instruction manuals. You have to wonder if this is somewhat of an inside job by the original factory who had an idea to make a bit of extra money. Perhaps the leak revealed large sums of Bitcoin that were under the control of some ledger users because there is no way that a scammer would go to such extents without thinking there was a huge potential payout available at the end of it all.

[o_e_l_e_o]

One thing is for sure: not all who bough Ledger wallets actually have Bitcoins; clearly some do have, but far from all.

I would say the majority of people who bought a Ledger will have coins of some description worth something. I can't imagine anyone is buying a Ledger just for fun and not holding any cryptocurrency at all, and so the only people with a Ledger and no coins worth stealing are people who have sold off everything they held, or people who only bought shitcoins which are now worthless. The coins don't even need to be on the Ledger - if someone is going to attack you based on the knowledge that you are likely a cryptocurrency owner, then they can coerce you to hand over funds regardless of where you have stored them.

I don't understand how Ledger and their shop provider are still allowed in e-commerce business.

Exchanges are hacked for KYC details all the time and yet are allowed to continue to function without even being punished for their terrible security. Knowing that someone has a Coinbase account makes then just as much of a target as knowing that someone owns a hardware wallet.

Perhaps the leak revealed large sums of Bitcoin that were under the control of some ledger users because there is no way that a scammer would go to such extents without thinking there was a huge potential payout available at the end of it all.

As Lucius has said above, people link bitcoin and other crypto addresses to personal information all the time, particularly email addresses. Cross checking against email addresses in the Ledger database could easily reveal a handful of high value targets.

[Lucius]

~snip~

Most of those who are considering a physical attack on a specific target study very well all the risks that such an attack carries with it - so most will give up if they find out that the target has video surveillance and an alarm that is not so easy to disable. In addition, if they find out that the target also has a firearm - this will be a sign for most to give up - especially if it is a smaller amount than say 1-2 BTC.

High-ranking targets would be those with tens or hundreds of BTC, and for that kind of money real professional thieves will not save on time and money to plan everything and carry out a robbery regardless of security measures.

I'm not at all surprised that Ledger remained almost intact after all, although I as their customer (and I believe many others) have firmly decided that we will no longer buy their products.

[ranochigo]

Classic social engineering. In this case, it is highly specific and tailored to a specific group of users: Ledger Customers involved in the leak.

This is also the reason why people shouldn't be plugging in random USBs that they find anywhere. They are cheap to manufacture and leveraging on customer's complacency is an accident bound to happen. If you did not order something, then you should assume it as malicious. If Ledger sent me something like this, it would be a giant red flag, partially for me assuming that they did not scrub my details from their own database. Always verify the authenticity of devices that you receive and ensure that it isn't tampered with or otherwise counterfeit.

[Davidvictorson]

Scammers have gotten really smarter but customers will always be a step ahead. It's a good thing that this user some knowledge on how scams work having been a victim of data breach.

The two takeaways from this is that;

1) The customer's data was gotten via a third-party and not Ledger.

2) Ledger will never send anyone a free product they didn't order.

[stompix]

I don't understand how Ledger and their shop provider are still allowed in e-commerce business.

Just because of that data breach?
If that would be a rule you would end up with half of the companies shut down and with competitors paying tens of millions to hackers to take out the competition. There is no way a company would be forced to stop selling products over a database breath of their customers, there have been cases of food poisoning that caused death and some restaurants haven't been completely shut down just temporarily, not even talking about chain stores, nobody is going to do that over a bunch of addresses even with all this GDPR stuff.

As Lucius has said above, people link bitcoin and other crypto addresses to personal information all the time, particularly email addresses. Cross checking against email addresses in the Ledger database could easily reveal a handful of high value targets.

I think the first step will be the physical address, is it from a poor country and the address is from a small city and a block of flats, that a no from the start, is it a mansion in Englewood? It does sound tempting!

Am really curious to know how many users received this fake device and how many of them fell for it!
The scammers must either be the same persons who hacked Ledger's ecommerce database or they bought it from darknet. The first possibility is more likely because it is clear from the effort they put into this scam that they possess the necessary capabilities to hack Ledger's website.

I don't think so.
If you hacked the database and you have planned for this you wouldn't have released it or sold it over DM, the whole element of surprise is gone and people are far more suspicious about it. Imagine receiving this packed with no news about the hack and with a really well-made package, details on who to call (obvious fake numbers), and what to do because you alone have been targeted. A lot more would have fallen for the trap.

Anyhow, shitty situation.
If I were to take a guess at my relatives and friends, I would think at least 10% would have fallen for this, I know a few who lost money of far more obvious scams, this one would get them for sure.

[jerry0]

How many people got this?  What country are the people who received this from?

[Lucius]

How many people got this?  What country are the people who received this from?

How about you, unlike asking stupid questions, start reading what is written in this thread? If you had done that, then you would have known that only 2 cases have been made public so far, and what does it matter in which countries it happened?

In case you get a package from Ledger (and it applies to everyone else) that you did not order - just refuse to take it from the delivery service, let them return it to the sender - so he will pay the price of sending the package in both directions - if he decides to pick it up.