Nasty Ledger wallet scams. And how to avoid them.
Ledger wallets flew off the shelves after the hack on Binance. Given the influx of new Ledger wallet users, it would be a good time to share Ledger wallet scams that have happened in the past. Hopefully, by shedding light on them, fewer users would fall for them.
Ledger is one of the most, if not the most, popular hardware wallet providers on the planet. We use Ledger ourselves and love the product. Unfortunately, scammers share the same sentiment and are drawn to it. As a result, there have been many Ledger wallet scams or scams targeting Ledger users. As Ledger wallets are highly secure, scammers have turned their attention to the weakest link in any security model.
The end user.
YOU.
Below we would discuss some Ledger wallet scams that have occurred.
Scam 1: Pre-generated recovery seed
This is how it happens:
- The scammer purchases a Ledger wallet (a Ledger Nano S in this instance).
- The scammer then inserts a pre-populated recovery seed inside the packaging. An example of this is shown above.
- They then repackage it for sale to an unsuspecting customer.
- The customer buys the wallet and sets it up with the recovery seed provided.
- Funds the user transfers to their Ledger Nano S get stolen. This is possible since the scammer has access to the recovery seed used to set up the wallet.
Precautions to avoid this Ledger wallet scam:
- Only buy your Ledger wallet from the source. This means purchasing it from Ledger’s website. What about purchasing them from authorized retailers listed on Ledger’s website? Personally, we would not and would do so only if Ledger does not ship to our location. Also, do not buy them from Amazon as there is the risk of inventory commingling. A benefit of purchasing from the source (ie. Ledger) is that you are assured about the authenticity of your device. If you have doubts about your device’s authenticity, Ledger provides guidance on how to perform the necessary checks.
- Avoid buying a second-hand Ledger wallet. You may save some money. But you will always have the lingering doubt at the back of your mind that your device may have been tampered with.
- Some sellers also offer Ledger wallets preloaded with Bitcoin. Sellers of these wallets know the recovery phrase to access your funds. Thus, purchasing such wallets is a horrific idea.
- Understand that your Ledger wallet “does not include any pre-existing seed words or pin code”. You should always be generating the seed words and pin codes on your own. Your recovery sheet should thus be blank.
- If you receive one that already has a pre-existing seed word or pin code, you should reset the device. And if you are paranoid, you may consider verifying the hardware integrity of it.
Scam 2: Fake Ledger software
Such software like the one above tricks the user into entering their seed phrase into them. Once scammers get hold of the seed phrase, they can then proceed to empty the user’s wallet.
Precautions to avoid this Ledger wallet scam:
- Never key in your seed into a device other than your hardware wallet. Hardware wallets provide separation between your recovery phrase / private keys and your devices like mobile phones or computers. This separation is crucial as mobile phones or computers have many vulnerabilities. Hardware wallets have much smaller attack surfaces. Thus, storing your recovery phrase on them increases security exponentially. If you enter your recovery phrase into your phone or computer, your hardware wallet effectively turns into a desktop or mobile wallet. Both these options are much less secure.
- Only get your downloads FROM the official website. Bookmark the correct URL and access it from there so you wouldn’t end up mistyping and landing on a phishing site.
- Installing a good antivirus or antimalware solution to help detect malicious software.
Scam 3: Fake customer support
Scammers also offer fake customer support targeting Ledger users. They lure users into revealing confidential information such as their recovery seed. Once obtained, scammers can use it to steal the user’s funds.
There are many other twists to such scams. In one instance, scammers impersonated Ledger and held an Etherium giveaway.
Scammers have also become more proactive. Instead of waiting for users to contact them, they have gone out to contact users.
Another variation involves scammers convincing users to provide remote access to their devices. This can be done through software like TeamViewer. Scammers would claim they need access to “diagnose the issue”. Such “help” inadvertently involves the draining of funds from the user’s wallet. What’s more, reports have shown that scammers aren’t just after cryptocurrencies alone. They want to fleece you of as much as possible and are known to steal Google Play Store gift cards too.
Precautions to avoid this Ledger wallet scam:
- Only contact Ledger through official channels. According to Ledger, they are reachable through their online contact form, live chat on Ledger.com or via Twitter (@Ledger). They DO NOT offer phone support. Users can also get help from their official Reddit page.
- Here are several things to note when contacting support on these channels.
- Even on official channels, ensure you are getting help from REAL support staff. On Reddit, you can identify Ledger team members from their flairs. An example of what a flair looks like is shown in the image below. See how user btchip has the flair of Ledger CTO next to his username?
- Another way to identify legitimate support staff is to look at the moderators section. This can be found on the right-hand panel on Reddit.
- On Twitter, Ledger has a blue tick next to their username (which indicates a verified account) and have the @Ledger handle.
- Never reveal your recovery seed to ANY support team, legitimate or not. This is like handing over the keys to your car and trusting them not to drive away with it. They should not be asking for it. Remember if support does ask for it …
Scam 4: Fake Ledger wallet app
Once users download such fake apps, scammers can use them to get hold of user data. For example, they could trick users into providing their recovery seed. Notice how the download above was offered by dinsidorova67? This should have raised alarm bells.
Side note: Ledger Live has replaced Ledger Manager. Thus, you should not be downloading it.
And while this fake app was not found to be malicious, the developer could have easily updated it to make it so. As Ledger apps are now available on smartphones, we can expect to see more such fake apps appearing.
Precautions to avoid this Ledger wallet scam:
- Only get your download links from the official website. For example, to get the download links to Ledger mobile apps, users can access it via the links on Ledger’s website.
- Before downloading any app, users can perform the following checks
- Read the reviews and ratings. If people are frequently complaining about getting scammed, you immediately know it is a scam.
- Check the app developer information. In the screenshot below (of the official Ledger app), we see that the app was published by Ledger. Also, by checking the Developer section, we can see that the information points back to the official Ledger website.
However, do note that a scam app can also show legitimate app developer information. Thus, this method is not foolproof. For example, a fake Trezor wallet app had included a link back to the real website. It also included an email with the official Trezor domain, Trezor.io.
- Check the number of downloads. Hugely popular cryptocurrency wallets like Ledger would have a large number of downloads. Thus, a Ledger app with a small number of downloads is an instant red flag.
- Report fake apps when you see them. This would reduce their effectiveness and the number of victims falling for them.
Others scams
Here are some scams that have targeted other wallet users in the cryptocurrency ecosystem. Since they could likewise happen to Ledger wallet users, we would be mentioning them too.
Scam websites or advertisements
Here are some examples of scam websites used to trick users into revealing sensitive information.
1) Phishing websites
This scam website tried to lure users to enter their recovery phrase. A captcha was included to give the illusion of authenticity. Also, note the URL. It is not the official Trezor website.
2) Unicode domain phishing
Scammers use non-English characters that look like their English counterparts in the URL. For example, this scam website looks similar to the official Binance website. But on closer inspection, you can see that is not the case.
3) Fake advertising
A .la domain name claiming to be the real deal. What could go wrong?
4) DNS poisoning / BGP highjacking
In such scams, hackers are able to redirect users away from the website even if the correct website was entered into the web browser. Trezor users had fallen prey to this scam.
In the image above, the address bar shows the correct address ie. wallet.trezor.io. But, an inspection of the site revealed several critical errors.
One, the website’s certificate was not trusted as shown by the “Not secure” words in the address bar.
Also, the site had requested users to enter their recovery phrase.
5) Cybersquatting
This involves a scammer fooling users by using a domain which looks like the real website. In the image below, the scammer was asking the user to access the BIP 39 tool.
While the text told the user to go to “http://www.iancoleman.io/bip39” the actual link led to “http://www.iancolemann.io/bip39/”. Note the double N in the second link.
Precautions to avoid falling for the above scams:
- Never enter your recovery phrase into a device other than your Ledger wallet.
- Bookmark official sites and access sites through them. This beats Googling them each time. Or typing them out, where a typo may land you in a scam website.
- Access the HTTPs version of the site.
- Always check for the Secure sign in your browser’s address bar.
- To quench your thirst for vengeance, report all instances of such fake sites. You can report them via Google (phishing sites or malware sites). In addition, you can report them to their domain registrar. To find which domain registrar a site is using, go to Whois. For illustration, we would use Google. After entering Google into Whois, we can see that Mark Monitor is their registrar. We also see that any abuse can be reported to abusecomplaints@markmonitor.com.
Fake wallets
To our knowledge, there hasn’t been a fake Ledger hardware wallet. But for Trezor, there have been imitation products. Here are some examples.
Another example of a fake Trezor wallet.
Precautions to avoid falling for this scam:
- As we have explained above, only buy your Ledger wallet from the source.
- If you think your device is fake, consider performing a check on the authenticity of the device.
Clipper apps
These programs do not specifically target Ledger wallets or other hardware wallets. They detect Bitcoin/cryptocurrency addresses and replace them with the scammers’ address. Thus, funds get sent to the scammer instead of the intended recipient. Below is an example of how such apps work.
Precautions to avoid falling for this scam:
- Always verify the address in full on your hardware wallet. There are two key points here (1) Verify the address IN FULL. Don’t just verify a part of the address. Clipper apps can produce similar-looking addresses to that of the intended recipient. Scammers can do this as they have previously generated multiple addresses and hold the private keys to them. (2) Do your verification on your hardware wallet. And not on your desktop. The reason is that your desktop could be infected by malware.
Conclusion
Security is a never-ending game of cat and mouse. Don’t let your guard down and stay safe. We hope this article has raised your awareness about Ledger wallet scams lurking out there. Crypto is the Wild West of the digital world. The best we can do is learn about cryptocurrency wallet security and always be skeptical.
We strongly recommend you see our article covering fake Trezor wallets and other scams targeting Trezor users. Scams suffered by Trezor users could equally affect Ledger wallet users too. Also, for more information on cryptocurrency wallet security, we have an article on it.
Note: Scams targeting Ledger (or other wallets) users appear all the time so it is impossible to keep track of them all. If we missed a Ledger wallet scam, leave us a comment below and we will update the article.
I think my account ledger live app was scammed. It shows several of my coins sent to an address on 8/29/20 at 4:30am. Is there anyway of recovery my coins from that address?
Hey Wayne,
Apologies for the late reply. Have you considered this: https://www.coinfirm.com/products/reclaim-crypto/
We personally have not tried it but you may wish to have a look.
You may also use a block explorer to track where your funds are going to. If the scammers somehow send it to an exchange, you can hopefully get the police to intervene to freeze funds on the exchange. We have tried suggesting users do this in the past though they all gave up halfway and never reported back to us whether this worked.
Sorry for the lost and good luck.
You advise buying directly from Ledger. I tried to do this, and Ledger claimed to have charged me Canadian HST. Yet their courier DHL also demanded I pay HST (which I refused, resulting in a return). I attempted to learn Ledger’s Canadian GST/Business number, which they would publicize if they were legally collecting HST, but I came up empty.
Why would I trust a Ledger product with my money — at all — when, at best interpretation, they are so inexperienced that they don’t know how to collect HST in a way that prevents double-taxation? 13% tax turned into 27.7% tax. C$140.70 item should have cost C$159, and ultimately cost C$179.66 (NOT including import fees).
When you ask to store people’s money, you have got to be trustworthy 100% of the time. I just don’t see it.
Hi Randy, we can’t speak for Ledger on why this happened. But the point we were trying to make is that you may save on the HST by buying from other sources but you will always have the lingering doubt at the back of your mind whether it has been tampered with. We personally can’t deal with that risk and hence buy direct from Ledger (even if it takes longer to deliver and cost more).