A counterfeit Ledger wallet sold through an online marketplace has been uncovered with a concealed chip and modified firmware designed to capture seed phrases and PIN codes instantly.
A cybersecurity researcher in Brazil exposed the operation after purchasing what appeared to be a genuine Ledger hardware wallet from a Chinese marketplace listing that closely resembled the official store and matched its pricing. Although the packaging looked authentic at first glance, the device itself turned out to be fake.
When connected to Ledger Live downloaded from the official website, the wallet failed the Genuine Check, confirming it was not legitimate. This prompted the researcher to open the device and investigate its internal components and firmware.
Cloned Websites and Malicious Apps Drive the Attack
Inside the device, the researcher discovered a completely different chip than what is used in authentic wallets. The chip markings had been deliberately removed to conceal its identity. The hardware also included WiFi and Bluetooth antennas, which are not present in a genuine Ledger Nano S Plus. Further analysis revealed the chip to be an ESP32 S3 with built in flash memory, produced by Espressif Systems.
During startup, the device initially presented itself as a Ledger Nano S Plus with serial numbers and factory credentials, but later exposed its true origin. After extracting and analyzing the firmware, the researcher found that PIN codes and seed phrases were stored in plain text. The firmware also contained hardcoded links to external command servers, indicating that it was built to harvest sensitive wallet data and transmit it elsewhere.
Despite the presence of wireless hardware, there was no clear evidence that the device transmitted data through WiFi or Bluetooth. There were also no signs of USB based attack scripts. Instead, the scheme relied heavily on manipulating user behavior outside the device.
The attack begins when users scan a QR code included in the packaging. This directs them to a fake website designed to mimic the official Ledger site. From there, victims are encouraged to download a counterfeit version of Ledger Live for mobile or desktop platforms. The fraudulent app displays a fake Genuine Check that always succeeds, giving users a false sense of security.
Users then proceed to create wallets and record their seed phrases, unaware that the app is secretly sending this information to attacker controlled servers.
Further analysis of the Android version of the fake app revealed additional threats. Built using React Native and the Hermes engine, the application was signed with a debug certificate rather than a legitimate key. It intercepted communication between the wallet and the app, quietly contacted external servers, and continued running in the background even after being closed.
The app also requested access to location data and tracked wallet balances using public keys, allowing attackers to monitor incoming funds and transaction amounts.
Not a Security Failure of Ledger Itself
The researcher clarified that this incident does not represent a vulnerability in Ledger’s technology. Security features such as the Genuine Check and Secure Element functioned as intended. Instead, the situation is a sophisticated phishing campaign that combines fake hardware, malicious software, and external infrastructure.
The operation involves counterfeit devices equipped with ESP32 S3 chips, infected applications across multiple platforms, and remote servers used to collect stolen data.
While fake Ledger devices have been reported in the past, this case stands out because it reveals the entire system behind the scam, including hardware design, software manipulation, distribution channels, and links to shell companies behind marketplace listings. The findings have been reported to Ledger’s support team, and further technical analysis covering other operating systems is underway.
A similar incident occurred several years ago when another user reported receiving a Ledger Nano X in packaging that appeared genuine. However, a letter inside raised suspicion due to noticeable language errors and claimed the device was a replacement following a data breach. A later investigation showed the device had been modified with a flash drive connected to the USB interface, intended to deliver malware and potentially steal funds.#crypto#cryptonews https://coinsignals.net https://coinsignals.net
