In a remote corner of Brazil, a security researcher, with a weary sigh, unveils a tale of deception: a counterfeit Ledger Nano S+ that, with the precision of a well-rehearsed play, siphons funds from 20 blockchains.
A Brazil-based security researcher has exposed one of the most sophisticated counterfeit Ledger Nano S+ operations ever documented. The fake device, sourced from a Chinese marketplace, carried custom malicious firmware and a cloned app. The attacker immediately stole every seed phrase that users entered. One might say the device was as trustworthy as a fox in a henhouse.
The researcher bought the device on suspicion of price irregularities. Upon opening it, the counterfeit nature was obvious. Instead of discarding it, a full teardown followed. A man of science, indeed, but also a man of curiosity-though one wonders if he ever considered the possibility of a prank.
What Was Hidden Inside the Chip
The genuine Ledger Nano S+ uses an ST33 Secure Element chip. This device had an ESP32-S3 instead. The chip markings were physically sanded down to block identification. The firmware identified itself as “Ledger Nano S+ V2.1” – a version that does not exist. A masterpiece of deceit, if one were inclined to admire such things.
Investigators found seeds and PINs stored in plain text after conducting a memory dump. The firmware beaconed to a command-and-control server at kkkhhhnnn[.]com. Any seed phrase entered into this hardware was exfiltrated instantly. One might call it a digital thief with a penchant for speed.
The device supports roughly 20 blockchains for wallet draining. That is not a minor operation. A feat of engineering, if one ignores the moral implications.
Five Attack Vectors, Not One
The seller bundled a modified “Ledger Live” app with the device. The developers built the app with React Native using Hermes v96 and signed it with an Android Debug certificate. The attackers did not bother obtaining a legitimate signature. A bold move, though one might question their confidence in the law.
The app hooks into XState to intercept APDU commands. It uses stealthy XHR requests to pull data out silently. Investigators identified two additional command-and-control servers: s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn. A network of shadows, if ever there was one.
This is not limited to Android. The same operation distributes a .EXE for Windows and a .DMG for macOS, resembling campaigns tracked by Moonlock under AMOS/JandiInstaller. An iOS TestFlight version also circulates, bypassing App Store review entirely – a tactic tied previously to CryptoRom scams. Five vectors total: hardware, Android, Windows, macOS, iOS. A symphony of chaos, orchestrated by a mastermind with a sense of humor.
The Genuine Check Cannot Save You Here
Ledger’s official guidance confirms that genuine devices carry a secret cryptographic key set during manufacturing. The Ledger Genuine Check in Ledger Wallet verifies this key each time a device connects. According to Ledger’s support documentation, only a genuine device can pass that check. A safeguard, if only the manufacturers were not complicit.
The problem is straightforward. A compromise during manufacturing renders any software check useless. The malicious firmware mimics enough of the expected behavior to proceed past basic checks. The researcher confirmed this directly in the teardown. A paradox of trust, if ever there was one.
Past supply chain attacks targeting Ledger users have repeatedly shown that packaging-level verification alone is insufficient. Documented cases on BitcoinTalk record individual users losing over $200,000 to fake hardware wallets from third-party marketplaces. A cautionary tale, though one suspects the victims were more gullible than the devices themselves.
Where These Devices Are Being Sold
Third-party marketplaces are the primary distribution channel. Amazon third-party sellers, eBay, Mercado Livre, JD, and AliExpress all have documented histories of listing compromised hardware wallets, the researcher noted in the Reddit post on r/ledgerwallet. A marketplace of illusions, if ever there was one.
The price point is deliberately suspicious. That is the lure. A non-official source doesn’t offer a discounted Ledger as a deal-it sells a compromised product to benefit the attacker. A bargain, if one values their savings.
Ledger’s official channels are its own e-commerce site at Ledger.com and verified Amazon stores across 18 countries. Nowhere else carries any guarantee of authenticity. A lesson in discernment, if only users were paying attention.
What the Researcher Is Doing Next
The team prepared a comprehensive technical report for Ledger’s Donjon team and its phishing bounty program, and it will release the full write-up after Ledger completes its internal analysis. A procedure as methodical as it is necessary.
The researcher has made IOCs available to other security professionals through direct messages. Anyone who purchased a device from a questionable source can reach out for identification assistance. A noble effort, though one wonders if the victims will heed the warning.
The key red flags remain simple. A pre-generated seed phrase included with the device is a scam. Documentation asking users to type a seed phrase into an app is a scam. Destroy the device immediately in either case. A directive as clear as the nose on one’s face, if only users would read it.
Read More
- Silver Rate Forecast
- Gold Rate Forecast
- XRP’s Desperate Dance with Bitcoin: A Tragicomedy in Three Acts
- Bitcoin Surges as Iran Ceasefire News Shakes Oil Markets!
- Shocking Twist: XRP Plummets, What is Ripple’s Next Move? 😲💔
- Tajikistan’s Crypto Crackdown: Jail & Fines Await Bitcoin Miners! 🚫💰
- Circle’s Plunge: A Farce of Fear and $75B Dreams!
- CoinShares’ Nasdaq Debut: A 25% Crash or Just a Crypto Nap?
- You Won’t Believe What DBS Just Did with Crypto! 😲💰
- Polymarket’s Bold Move: DeFi Startup Acquired for $20B Ambitions!
2026-04-18 03:01