Fake Ledger physicial upgrade scam

[Lucius]

Sometimes back in 2024, Ledger experienced a data breach. It was reported that about 270,000 users data was stolen, including their phone numbers, email and physical mail addresses, and now scammers are using that information to start another war of physical scams through their mailboxes.
~snip~

Why speculate when it is publicly available information that the database leak in question happened back in 2020?

As you know, Ledger was targeted by a cyberattack that led to a data breach in July 2020. Yesterday, we were informed about the dump of the content of a Ledger customer database on Raidforum. We believe this to be the contents of our e-commerce database from June 2020.

At the time of the incident, in July, we engaged an external security organisation to conduct a forensic review of the logs available. This review of the logs enabled us to confirm that approximately 1 million email addresses had been stolen as well as 9,532 more detailed personal information (postal addresses, name, surname and phone number) that we were able to specifically identify.

The database publicly released yesterday shows that a larger subset of detailed information has been leaked, approximately 272,000 detailed information such as postal address, last name, first name and telephone number of our customers.

It seems to me that scammers have sent letters to home addresses before, called people on their phones and sent them SMS - but this is something that has been happening for 5 years. Such things should be reported to the police and let them try to find out where the letter was sent from - although it all depends on where you live, in some countries you may have more problems than benefits from the police.

[_act_]

It seems to me that scammers have sent letters to home addresses before, called people on their phones and sent them SMS - but this is something that has been happening for 5 years. Such things should be reported to the police and let them try to find out where the letter was sent from - although it all depends on where you live, in some countries you may have more problems than benefits from the police.

When the address leak happened that time like 2 or 3 years ago, nothing physical that happened. You are referring to the threatening messages and calls that they are sending to Ledger customers that time. According to the news that I read it that time, they were even speaking another languages. This is the first time this one is happening now. Maybe the data was sold to bad people in some countries which is very dangerous. This taught me a lesson to avoid hardware wallet generally. I will prefer airgapped device and use a software wallet on it.

[Cricktor]

The letter looks clean, has the logo, and even a QR code asking you to "verify" your seed phrase or risk losing access.

Well, the URL of the QR code looks nothing like remotely connected to Ledger's addresses: https://qrco(.)de/LedgerCompliance
(do NOT visit this page, do NOT ever enter your seed recovery words on an online foreign website).

But here's the thing. No legit wallet company will ever ask for your seed phrase. Not online, not by mail, not in any way. If someone’s asking for it, it’s 100% a scam.

Yes, indeed. Crypto wallet users should know this from the very start when they first create their crypto wallet, regardless if it's a software or hardware wallet.

Code:

Registrar Status 	connect
Dates 			Updated on 2024-11-15 	
  
Name Servers 		NS-1422.AWSDNS-49.ORG (has 55,586 domains)
			NS-1888.AWSDNS-44.CO.UK (has 329 domains)
			NS-341.AWSDNS-42.COM (has 1,932 domains)
			NS-678.AWSDNS-20.NET (has 30 domains)
	
  
IP Address 		99.84.66.36 - 3,608 other sites hosted on this server
	
  
IP Location 		United States - Oregon - Portland - Amazon.com Inc.
ASN 			United States AS16509 AMAZON-02, US (registered May 04, 2000)
IP History 		8 changes on 8 unique IP addresses over 2 years 	
  
Hosting History 	3 changes on 4 unique name servers over 7 years 	
  
Whois Record ( last updated on 2025-05-01 )
Domain: qrco.de
Nserver: ns-1422.awsdns-49.org
Nserver: ns-1888.awsdns-44.co.uk
Nserver: ns-341.awsdns-42.com
Nserver: ns-678.awsdns-20.net
Status: connect
Changed: 2024-11-15T11:51:06+01:00

Hm, the scammers use Amazon cloud, interesting. Likely with stolen accounts OR they're more stupid than is healthy.

[m2017]

What do they do? They sent mail to Ledger customers from the leaked information to their mailboxes for them to update/upgrade their seed phrase, and failure to do so, their services will be terminated and they won't be able to access their wallet.

This is a standard way to scare the victim, make them nervous and stop thinking critically. The fear of losing their assets or access to them is the strongest among investors (thrifty people).

One X user reported yesterday that he received a mail from a fake Ledger company to update his seed phrase with the Ledger logo as letter head and a well-composed, organised mail. The details include a QR code that asked the user to scan and update his seed phrase; otherwise, he wouldn't be able to access his wallet and funds.

From the outside, this method of deception looks so naive and stupid, but it certainly turned out to be effective. Unfortunately, many buyers of hardware wallets are not properly informed about the rules for storing the seed phrase (don't disclose or show the seed phrase to anyone. including, never enter this seed phrase anywhere.).

Stay safe, as no company that offers hardware wallet safe services will send you such mail to your house;

But only if it is not the same manufacturer that is known for its incompetence.

There are so several data leaks of users information from the Ledger company that I don't doubt their incompetency.

I would say, in disregard and negligence for the safety of their users' data.

As you can see, ledger figures in this story. Ledger screwed up again.

[Lucius]

When the address leak happened that time like 2 or 3 years ago, nothing physical that happened.
~snip~

I don't know what's wrong with you people speculating about when the data leak happened, when I posted the official link that it happened in 2020. Also, I'm sure I read somewhere a few years ago that people were getting letters related to this data leak.

This taught me a lesson to avoid hardware wallet generally. I will prefer airgapped device and use a software wallet on it.

If you have the knowledge and ability to create a cold wallet without anyone knowing, that is definitely the best possible choice. However, if you are buying a hardware wallet, you should take into account that it can be done without endangering your private data - whether it is about buying such a device in a physical store (paying in cash), or ordering in a PO box. Whoever bought Ledger in one of those two ways has never had a problem with data leakage.

[illanz]

omg how they doing this?

police can track sender?

is that so hard?

[_act_]

Also, I'm sure I read somewhere a few years ago that people were getting letters related to this data leak.

I did not see anything like letter sent to Ledger users after the hack on this forum, on news and on X. Where did you see the information? It would be good if you post the link here. As far as I know, this is the first time this is happening. After the hack, I only read about threatening calls and messages and not letters. And just like I posted before, the calls and messages are mostly in the language not spoken by the victim, unlike what is happening this time.

I did not know it has been up to five years. Time goes fast and waits for no one.

[Cricktor]

~~~

You aren't that naive, are you? I'm 100% sure that the physical letter's envelope didn't have any sender's address on them. The letter itself likely has Ledger's HQ Paris address (I didn't check) on them. The scammer very likely didn't disclose their own location unless they are insanely stupid (can't exclude stupidity entirely).

It would be a red flag for me already if an official company doesn't put their own postal address as sender on the envelope or visible through the envelope's transparent address window, even when it is faked.

This taught me a lesson to avoid hardware wallet generally. I will prefer airgapped device and use a software wallet on it.

I find this conclusion a bit over-the-top, I mean to avoid hardware wallets. The problem is not the hardware wallet itself, it's the data trail a buyer produces when they purchase such stuff online AND companies like Ledger who can't secure your customer data because they screw up or don't care or are just a bunch of incompetent people regarding customer data.

Ledger could produce the coolest hardware wallet the world has seen (they won't), with their history records, I would never ever buy anything from Ledger. I've limited power as a buyer, but I let my wallet speak and deny Ledger to receive any money from me.


You can build a hardware wallet from parts that don't scream "crypto hardware wallet", e.g. Krux or Seedsigner or similar DIY projects.

Air-gapped cold wallets are secure as long as you execute them properly, but they are less convenient than a hardware wallet (some of which you can buy offline, but only at very limited places which might not be accessible for many users).


P.S. (some time later)
I'm a bit surprised the scammers spent money to send out physical letters because that's is more expensive than sending phishing emails. I guess fooling at least one wallet owner should pay off, though.

[Lucius]

I did not see anything like letter sent to Ledger users after the hack on this forum, on news and on X. Where did you see the information? It would be good if you post the link here. As far as I know, this is the first time this is happening. After the hack, I only read about threatening calls and messages and not letters. And just like I posted before, the calls and messages are mostly in the language not spoken by the victim, unlike what is happening this time.

Since it's been a long time, I really can't remember which topic it was in.
However, it is possible that it was not a scam that targeted only Ledger users, but that someone used the same database to send letters regarding crypto scams to users' physical addresses.

I did not know it has been up to five years. Time goes fast and waits for no one.

The first post on this page (right above yours) contains accurate information, I don't know how something like that could be overlooked. It seems to me that less time has passed, but it's obvious that 5 years fly by in an instant. Yet, even after all this time, it appears that this data leak is something that will have far-reaching consequences.

[Oshio-man]

What you think is impossible in this world, you will discover that is happening  already some where else in the world, thanks for sharing this scam incident that happened last year, I think people will ignore any suspect  mail messages  that will come in for the purchase of their wallets.