Security Expert Discovers Counterfeit Ledger Hardware Wallet on China-Based Online Platform
Following a detailed analysis of the fraudulent Ledger device's firmware, the security expert identified evidence linking to Espressif Systems, a semiconductor manufacturer based in China.
A cybersecurity professional from Brazil has issued an alert regarding a newly discovered fraudulent Ledger hardware wallet scheme designed to pilfer cryptocurrency from unsuspecting users.
Using the handle "Past_Computer2901" on Thursday within the "ledgerwallet" subreddit community, the cybersecurity expert revealed they had acquired what appeared to be an authentic Ledger device for their own personal usage, only to discover upon delivery that it was an elaborate fake constructed to steal cryptocurrency assets from users.
"This isn't meant to cause panic, but rather to serve as a serious warning — I'm honestly still a bit shaken by the sheer scale of this operation," they said.
Fraudsters are implementing progressively more advanced techniques to exploit individuals choosing self-custody solutions, ranging from attacks on the supply chain to manipulation tactics and fraudulent approval schemes.
Earlier this month, more than 50 victims were tricked into revealing their seed phrases on a fake Ledger Live app that made its way to the Apple App Store via a bait-and-switch strategy. The victims lost a combined $9.5 million before Apple took down the malicious app.
How the counterfeit Ledger device scam works
According to the researcher, they purchased the Ledger Nano S Plus through a Chinese online marketplace, where it was offered at the identical price point as the official Ledger store. Both the packaging design and the product listing seemed authentic upon initial inspection.
Nevertheless, upon connecting the hardware wallet to the authentic Ledger Live application — which was fortunately already present on their machine — the device could not pass Ledger's integrated "Genuine Check" verification process.
This failure triggered them to disassemble the hardware wallet, uncovering altered components and customized firmware engineered to intercept and transmit confidential wallet information.
According to the cybersecurity professional, the fraudsters specifically target first-time Ledger users, as the QR code that comes in the box would normally direct users to download a malicious version of the Ledger Live app that would show a fake "Genuine Check."
Individuals who continue following the instructions will ultimately enable fraudsters to capture a user's seed phrases and drain funds at any time.
"Stay safe out there. Only download Ledger Live from ledger.com. Only buy hardware from ledger.com," the security researcher said.
"If your device fails the Genuine Check — stop using it immediately."
Following the device's disassembly, they found unmistakable evidence of modification, including chip markings that had been scraped off and a WiFi and Bluetooth antenna embedded inside the unit.
Authentic Ledger hardware products are engineered to maintain private keys in a completely offline environment.
The cybersecurity expert proceeded to investigate the firmware, placing the "chip into boot mode," which at first recognized the device as a Nano S Plus 7704 with an attached serial number.
Yet, after the boot sequence completed, another manufacturer's name showed up: Espressif Systems, a publicly listed Chinese semiconductor company based in Shanghai.
Cointelegraph reached out to Espressif for comment but didn't receive an immediate response.