Rob Behnke
June 18th, 2021
In December 2020, the personal data of 272,853 Ledger customers was publicly leaked on the RaidForms hacking forum. Six months later, cybercriminals have begun taking advantage of this leak in a phishing scam.
Ledger manufactures hardware wallets, which are designed to allow users to securely store the private keys associated with their blockchain accounts and to perform transactions within them. In this scam, the cybercriminals are mailing out boxes containing Ledger devices along with a letter purporting to be from Ledger’s CEO that claims that the devices are being sent out as a replacement for existing devices due to the hack.
The Ledger device sent out looks legitimate and the box appears to be legitimate and is shrink-wrapped. While the enclosed letter has some grammatical errors, it discusses a real data breach, which adds even more legitimacy to the scam.
However, opening up the enclosed Ledger hardware wallet reveals that the cybercriminals have made some modifications to it. The hardware wallet now has the internals of a micro flash drive connected to it. If the recipient of the device plugs it in and runs the associated application as they are instructed to, software comes up requesting their seed phrase to import their private keys into the Ledger device. This recovery phrase is sent by the malware on the embedded USB to the cybercriminals behind the scam.
A recovery phrase is designed to make it easy to remember the secret key associated with a blockchain account. With access to the full recovery phrase, it is possible to reconstruct the associated secret key.
With this key, the cybercriminals behind the Ledger phishing scam gain control over the accounts of users who enter their seed phrases. This allows the attackers to perform transactions on the users’ behalf that transfer any value stored in the account to an attacker-controlled account. Since the blockchain’s digital ledger is immutable, these transactions are irreversible.
In the Ledger wallet phishing scam, the main giveaway was the fact that the enclosed letter had poor grammar. A better scam may have been difficult or impossible to detect.
It is always best to be cautious regarding your blockchain account’s private keys. Click here to learn more about how to protect your private keys.