Fake Ledger Nano X Passes Genuine Check and Leads to Loss of Over $200,000

[Pmalek]

A user on Reddit (Programmierus) shared a story of how his friend lost over $200,000 after buying a Ledger Nano X device from a fake shop in Thailand. Nothing unusual so far, except the claim that the device passed Ledger's Genuine Check.

Here is the whole story.

The device was purchased on an online marketplace, whose name I will not mention, from a 3rd-party seller not affiliated with Ledger. The shop is now gone. However, it mimicked the official Ledger reseller from Thailand.

The person helped his non-tech-savvy friend set up the Nano X on his MacBook in November 2024. Ledger's Genuine Check confirmed that the device was genuine. They updated the firmware. The person claims they generated new seeds twice. The first time he showed his friend how it's done, and the second time they wiped the device and generated a second seed that his friend wrote down. Programmierus says he didn't see the second seed.

Sometime later, the friend deposited ETH and TRX into his wallet. Everything was stolen a few days later. The Reddit thread shows where the stolen coins went and how they moved. You can follow it there if you are interested.

Many things could have happened here, and we can only guess what caused it.

- The most worrying thing would be if the fake device passed Ledger's real Genuine Check. However, we don't know what software the victims downloaded. Was it the real Ledger Live and its firmware, or was it something fake, as instructed by the scammers?

- The victim is not tech-savvy and probably a beginner who lacks knowledge. Buying from a fake store shows that. He might have leaked the seed somehow. His "friend" who helped him to set everything up could have stolen his crypto or someone who knew where the seed was kept. He didn't use a passphrase or multisig.

- Perhaps the fake device he bought only shows a few pre-generated seeds already known to the seller. All they have to do is monitor the addresses and steal the coins whenever they want to. Or the device generates seeds with weak entropy that the scammers can easily bruteforce. One user wrote a comment that the fake seller from Thailand was already reported in the past for sending pre-printed seeds that needed to be used with Ledger.

- Programmierus and his friend have not yet opened the Nano X to inspect the hardware. They are waiting for law enforcement and Ledger to give the go-ahead.


This is another warning to never buy hardware wallets from unofficial 3rd-party sellers and be careful about how you set them up and who knows about them.
Stay away from Ledger altogether if you don't like the direction the company has taken.


Source:
https://www.reddit.com/r/ledgerwallet/comments/1hyw356/help_urgent_compromised_ledger_nano_x_that_passed/

[tenant48]

Very strange story. The author claims that he downloaded Ledger Live from the App Store and the wallet passed the authenticity check normally. So the problem is unlikely to be in the wallet itself  

The following things also confuse me:
According to the author, the victim was new to cryptocurrency, but transferred an impressive amount of more than $200,000 to the wallet.

The provided screenshot shows that the wallet has been checked and no applications have been installed on it, although ETH and TRX should be installed at least. That is, the screenshot was taken before the hack, which is very strange, because, according to the author, after the hack the wallet was not touched again, nothing was installed or deleted.

Of course, you can check your wallet by resetting it to factory settings, create a new SEED, put a not very large amount on it and see if it gets stolen. But, in my opinion, they are not telling you something, or it's a trivial leak of SEED by an inexperienced user.

[Pmalek]

Very strange story. The author claims that he downloaded Ledger Live from the App Store and the wallet passed the authenticity check normally. So the problem is unlikely to be in the wallet itself

I missed this part about him downloading the software from the App Store. Does he say that he searched for the wallet on the App Store manually or that the official Ledger website directed him there?  

The following things also confuse me:
According to the author, the victim was new to cryptocurrency, but transferred an impressive amount of more than $200,000 to the wallet.

Correct. He calls his friend non-tech-savvy but that doesn't mean that he can't have money to invest or that he couldn't possess crypto without knowing much about it.

The provided screenshot shows that the wallet has been checked and no applications have been installed on it, although ETH and TRX should be installed at least. That is, the screenshot was taken before the hack, which is very strange, because, according to the author, after the hack the wallet was not touched again, nothing was installed or deleted.

Good catch! I saw that myself and I was wondering why the user had a screenshot taken before he installed any apps (if it was actually taken at that time) and for what reason would he need that? Why would you need a screenshot that shows that the Genuine Check was passed?

Of course, you can check your wallet by resetting it to factory settings, create a new SEED, put a not very large amount on it and see if it gets stolen.

A smart thief wouldn't react immediately. They would stay patient and wait for the victim to send more money to the wallet and only then empty it.

But, in my opinion, they are not telling you something, or it's a trivial leak of SEED by an inexperienced user.

A user who makes one big mistake can certainly make two or three. Or perhaps it's all made up because it's cool to use Ledger as a punching bag.

[tenant48]

I missed this part about him downloading the software from the App Store. Does he say that he searched for the wallet on the App Store manually or that the official Ledger website directed him there?  

I read this in the comments to his post:

Wim1441 asks the author:

From which website did you download ledger live? Maybe they had a scam website shown on the packaging or in the manual.

Programmierus answers him:

Not possible. Ledger Live from App Store on Mac.

[Lucius]

What I find a little strange is that this story is only now coming to light, and the alleged hacking occurred in late November or early December last year. Asking for urgent help (as the title on Reddit says) after such a long time does not make much sense, especially if we consider that it gives hackers more than enough time to hide their tracks.

Apart from what @tenant48 has already noticed, it seems to me that something is not quite right in this story - but that's always the case when it comes to Ledger, isn't it?


Regarding LL on the App Store, is it possible that someone (at least briefly) managed to upload a fake version that was downloaded in this specific case? There have been cases of fake LL before, on all platforms where it was available.

It may not be too important, but LL wasn't available on the Mac App store until a year ago. There is also a case in which users of the popular online wallet (blockchain(com)) who used Apple devices were hacked - so although this probably has nothing to do with the mentioned case, something may smell in that direction as well.

https://www.reddit.com/r/ledgerwallet/comments/15qvpyj/why_isnt_ledger_live_in_the_mac_app_store
https://bitcointalk.org/index.php?topic=5157460.0

[Pmalek]

Regarding LL on the App Store, is it possible that someone (at least briefly) managed to upload a fake version that was downloaded in this specific case? There have been cases of fake LL before, on all platforms where it was available.

We all know that Google's personnel are a joke, and they don't do due diligence when adding new apps to the Play Store. New scam/phishing apps appear there constantly. Apple's people are somewhat more difficult to trick in this regard. Fake apps appear much more seldom, but there have been a few cases on the App Store as well.

The quote tenant48 shared above doesn't explain much. The person said they downloaded Ledger Live from App Store on Mac", but not if they clicked a link on Ledger's official website or manually searched the App Store and perhaps found a fake app.

[dkbit98]

This is very concerning news, but I can't say that I am surprised with this.
Scammers probably found a way to bypass genuine check, and there is no way to know how they did it since ledger is closed source device.
There is always a chance that some leak from ledger factory happened, they are made in China and only assembled in France.
Even without this latest scam I was warning people in last few years to stop using ledger and all other closed source devices like tangem.

[PX-Z]

Many reasons doesn't add up, the device seems is genuine regardless the origin where user bought it because of the genuine check, ledger live app was downloaded from official app store, i tried to search if there is fake app but nothing found. They even setup the device (for trial) then reset it before using the actual address and saving the seed means the device is not tampered and don't have any pre-generated seed.

I could only think is the a users fault, leaking the seed from somewhere else.

[Lucius]

~snip~
I could only think is the a users fault, leaking the seed from somewhere else.

From everything that can be read, the person who generated the seed claims that it was in a safe place and that it could not be the cause of the hack. If we assume that this is correct, then there are at least two options left - one of the comments says that maybe it is an interaction with a malicious contract (recently we had a case where this was the reason for hacking), or the HW was modified in a still unknown way which enables it to pass all checks by Ledger, and the hacker still gets the generated seed.

We should not rule out the possibility that someone managed to hack the Ledger recovery service and that the device is sending the seed in the wrong direction. One would conclude that this would then surely happen en masse, but some hacker who figured out how to do it would surely keep it to himself rather than share it with others - at least until he hacks enough devices and is satisfied with the loot.

[Pmalek]

...they are made in China and only assembled in France.

You just described 90% of products regardless of the industry. Most things nowadays are made in China and similar countries with cheap labor, shipped worldwide, assembled, branded, and sold with an expensive price tag.

From everything that can be read, the person who generated the seed claims that it was in a safe place and that it could not be the cause of the hack.

People don't like to admit that they did something wrong or are directly responsible for what happened to them. A user error has many times been the culprit.

If we assume that this is correct, then there are at least two options left - one of the comments says that maybe it is an interaction with a malicious contract (recently we had a case where this was the reason for hacking), or the HW was modified in a still unknown way which enables it to pass all checks by Ledger, and the hacker still gets the generated seed.

I thought the recent hacks affected ERC-20 tokens and not the underlying native assets of alternative blockchains. Maybe I am wrong.

[Lucius]

If we assume that this is correct, then there are at least two options left - one of the comments says that maybe it is an interaction with a malicious contract (recently we had a case where this was the reason for hacking), or the HW was modified in a still unknown way which enables it to pass all checks by Ledger, and the hacker still gets the generated seed.

I thought the recent hacks affected ERC-20 tokens and not the underlying native assets of alternative blockchains. Maybe I am wrong.

You are right, but if you look at this case, it seems that there is still a possibility that a maliciously signed transaction can give a hacker access to the entire wallet. There has already been a discussion about the fact that it is not wise to store BTC and altcoins in the same wallet - because it is obvious that there is a risk that the user will lose everything if he makes just one wrong step.

[Pmalek]

You are right, but if you look at this case, it seems that there is still a possibility that a maliciously signed transaction can give a hacker access to the entire wallet. There has already been a discussion about the fact that it is not wise to store BTC and altcoins in the same wallet - because it is obvious that there is a risk that the user will lose everything if he makes just one wrong step.

And again, we have an unexplained case that began with a user error. In the beginning, the victim claims he did nothing wrong and didn't sign malicious transactions. The reason being that the scammer was idle for about three years and only then emptied the victim's wallet. Or perhaps the hacker only gained access to certain keys on a service three years after the victim allowed that service certain rights. It still puzzles me how this would work when each transaction needs physical confirmation without the user messing up big time. How can physical confirmation be delayed for three years?

[m2017]

Very strange story. The author claims that he downloaded Ledger Live from the App Store and the wallet passed the authenticity check normally. So the problem is unlikely to be in the wallet itself 

Most of this story is based on the author's words and statements. Isn't it all just a hoax to increase upvotes (or something else, like donates)?

The following things also confuse me:
According to the author, the victim was new to cryptocurrency, but transferred an impressive amount of more than $200,000 to the wallet.

This can be explained by the fact that the newbie was not poor or received an inheritance. For me, this place doesn't seem to be the "weakest" in this strange story, because newbies would have immediately sent all the money to a new device. More experienced and paranoid users 1rst sent a small trial amount. So, everything fits here.

In general, it all looks like this story is full of "blank spots" and it is impossible to be 100% sure of the truth of what happened.

This is very concerning news, but I can't say that I am surprised with this.
Scammers probably found a way to bypass genuine check, and there is no way to know how they did it since ledger is closed source device.
There is always a chance that some leak from ledger factory happened, they are made in China and only assembled in France.
Even without this latest scam I was warning people in last few years to stop using ledger and all other closed source devices like tangem.

It seems to me that you are making a bit of a hasty conclusion in this case, claiming a leak or a way to bypass the authenticity check, because there is no "iron" evidence of this (the author provided little information or it sounds a bit dubious), although I also don't really trust the products of this company at the moment.

[Pmalek]

It seems to me that you are making a bit of a hasty conclusion in this case, claiming a leak or a way to bypass the authenticity check, because there is no "iron" evidence of this (the author provided little information or it sounds a bit dubious)

Considering how many Ledger hardware wallets are out there and are being used for storing crypto, I think we would see more stories of people who bought fake Ledger devices that somehow passed Ledger's genuine check and could connect to the real Ledger Live and its servers. At the same time, I don't know what else can surprise me when Ledger is concerned. I can't think of one good thing I have seen them do recently from the top of my head. In spite of that, crypto still remains safu, except for when users make mistakes.

[Lucius]

And again, we have an unexplained case that began with a user error. In the beginning, the victim claims he did nothing wrong and didn't sign malicious transactions. The reason being that the scammer was idle for about three years and only then emptied the victim's wallet. Or perhaps the hacker only gained access to certain keys on a service three years after the victim allowed that service certain rights. It still puzzles me how this would work when each transaction needs physical confirmation without the user messing up big time. How can physical confirmation be delayed for three years?

It's a strange case that has been the subject of much speculation, but apparently no one (yet) has offered a meaningful explanation. If a hacker did something 3 years ago, and only recently succeeded in his plan, then he was probably waiting for that user to do something - although it's strange to me that he didn't do it for the whole 3 years. Whatever the case, if you store a significant amount of BTC on Ledger HW, do not play with various tokens and do not connect the device to various wallets.

[Meuserna]

It still puzzles me how this would work when each transaction needs physical confirmation without the user messing up big time. How can physical confirmation be delayed for three years?

Prove it.

That's the problem with closed source code.  There's no way to prove there aren't any backdoors.  Even Ledger admitted this.

"There's no backdoor and I obviously can't prove it"

--btchip, Ledger co-founder

No one should be using hardware wallets with closed source code, but Ledger is really good at marketing and most people don't know better.

[Pmalek]

Prove it.

That's the problem with closed source code.  There's no way to prove there aren't any backdoors.

I understand what you are saying, but you do understand that argument can be used both ways. Why don't you or someone else prove there is a backdoor and take someone's coins remotely and show the community how it works and that Ledgers can be penetrated? You can't, in the same way that I can't prove there isn't one nor am I trying to.

[NotATether]

Regarding LL on the App Store, is it possible that someone (at least briefly) managed to upload a fake version that was downloaded in this specific case? There have been cases of fake LL before, on all platforms where it was available.

We all know that Google's personnel are a joke, and they don't do due diligence when adding new apps to the Play Store. New scam/phishing apps appear there constantly. Apple's people are somewhat more difficult to trick in this regard. Fake apps appear much more seldom, but there have been a few cases on the App Store as well.

It's mainly because when you want to develop an app for Apple platforms, not only do you have to pay an annual 200 dollar fee but you also have to provide the source code to Apple and they make sure it passes several checks like doing what it is intended to do, not doing arbitrary execution and stuff like that.


But Google is a free-for-all, largely enabled by AI-assisted reviews.

[tenant48]

Found two other interesting comments under this article on Reddit:

KiwiCommercial1522
•
If it makes you feel any better, I have a legit Ledger FROM the exact website and this exact thing happened to. me. My entire account was drained of over 300k in funds overnight. My friend also had 170k stolen from him over the summer, exact same thing. NO ONE had access to these seed phrases, the hard wallets were not connected to the computer, no smart contracts were signed. It is possible your Ledger was compromised from the beginning but this seems to be a wide spread issue with Ledger that they are covering up. There is a full class action lawsuit right now against Ledger about security issues but . I PM'd you, feel free to contact me if you'd like.

What could it be? Another real Ledger hacking story or an attempt by a scammer to foist a victim on expensive legal help that is unlikely to help him?


I also found this message:

WellPro13
•
4 days ago
I'm done with Ledger. 2 days ago, my BTC was stolen. No leaked phrases. No Clicked links. No fake devices. Nobody had access to the wallet in ANY sense. smh...

In general, in our time, when there is a huge number of scammers, it has become difficult to determine the truth from a lie.

[Pmalek]

Found two other interesting comments under this article on Reddit:
...
What could it be? Another real Ledger hacking story or an attempt by a scammer to foist a victim on expensive legal help that is unlikely to help him?

If it's a Ledger hacking story, we will find out about it sooner or later. If people start experiencing sudden and unexplainable coin losses, it's going to make the headlines.

I have no idea what that user wants. He claims there is an action lawsuit against Ledger going on and instead of discussing it publicly and sharing some information, he concludes by saying he will PM the user in private. Scammers usually like to "discuss" things privately. Of course, there are many legitimate reasons why you would want to talk to someone over PM, but we have seen many times how scammers try to take advantage of victims with additional scam attempts and fake recovery services. I would be very careful if I were that user who is about to get a PM.