A fake Ledger wallet sold on a marketplace has a hidden chip and firmware designed to steal seed phrases and PINs instantly.
A cybersecurity researcher from Brazil exposed a large-scale scam operation after buying a “Ledger” hardware wallet from a Chinese marketplace listing that looked legitimate and was priced the same as the official store. The packaging appeared original from a distance, but the device was counterfeit.
When the researcher connected it to Ledger Live installed from ledger.com, it failed the Genuine Check, confirming it was not a real Ledger device. This failure led the researcher to open the device and examine its internal hardware and firmware.
Cloned Websites and Malicious Apps
Inside the shell, the researcher found a completely different chip, not the type used in a hardware wallet. The chip markings had been physically scraped off to hide identification. As per the researcher’s Reddit post, the device also contained a WiFi and Bluetooth antenna, which is not present in a real Ledger Nano S+. By analyzing the chip layout, they identified it as an ESP32-S3 with internal flash memory.
When the device booted, it initially masked itself as a Ledger Nano S+ 7704 with serial numbers and Ledger factory identity, but later revealed its true manufacturer as Espressif Systems.
After dumping the firmware and reverse engineering it, the researcher found that the PIN created on the device was stored in plaintext. The seed phrases from wallets generated on the device were also stored in plaintext. The firmware also contained multiple hardcoded domain references pointing to external command-and-control servers. These findings revealed that the device was designed to collect sensitive wallet data, with links to external servers.
The researcher also examined how the attack might work in practice. Although the hardware contained a WiFi and Bluetooth antenna, the firmware did not show evidence of wireless data transmission or WiFi access point connections. It also did not contain bad USB scripts for keystroke injection or terminal commands. Instead, the attack appeared to rely on user interaction outside the device itself.
According to them, the scam begins when a user scans a QR code included in the packaging. This QR code leads to a cloned website that looks like ledger.com. From there, users are prompted to download a fake “Ledger Live” application for Android, iOS, Windows, or Mac. The fake app shows a counterfeit Genuine Check screen that always passes. Users then create wallets and write down seed phrases, believing the setup is safe. Meanwhile, the fake app exfiltrates seed phrases to attacker-controlled servers.
You may also like:
The researcher decompiled the Android APK version of the fake Ledger Live app and found additional malicious behavior. The app was built with React Native and the Hermes engine. It was signed with an Android debug certificate instead of a proper signing key. It intercepted APDU commands between the app and device, made stealth requests to external servers, and continued running in the background for several minutes after being closed.
It also requested location permissions and monitored wallet balances using public keys, which allowed attackers to track deposits and amounts.
Not A Flaw in Ledger Security
The researcher stated that this is not a zero-day vulnerability and not a flaw in Ledger’s security design. Ledger’s Genuine Check and Secure Element were confirmed to work correctly. Instead, this is described as a phishing operation combining counterfeit hardware, malicious apps, and external infrastructure. The full operation includes hardware devices with ESP32-S3 chips, trojanized apps for Android and other platforms, and command-and-control servers used for data exfiltration.
The researcher also added that fake Ledger devices have been reported before, but this case is different because it maps the full system, including hardware, apps, infrastructure, and distribution through a shell company linked to marketplace listings. The researcher has submitted a report to Ledger’s Customer Success team and is preparing a full technical breakdown with further analysis of Windows, macOS, and iOS versions of the malware.
A few years back, another Reddit user reported receiving a Ledger Nano X in an authentic-looking package, but a letter inside raised concerns due to spelling and grammar errors. The letter claimed it was a replacement after a data breach.
A security expert later found the device had a flash drive wired to the USB connector, which was intended for malware delivery and potential theft.
Binance Free $600 (CryptoPotato Exclusive): Use this link to register a new account and receive $600 exclusive welcome offer on Binance (full details).
LIMITED OFFER for CryptoPotato readers at Bybit: Use this link to register and open a $500 FREE position on any coin!
