A cybersecurity researcher from Brazil exposed a large-scale scam operation after buying a “Ledger” hardware wallet from a Chinese marketplace listing that looked legitimate and was priced the same as the official store. The packaging appeared original from a distance, but the device was counterfeit.
When the researcher connected it to Ledger Live installed from ledger.com, it failed the Genuine Check, confirming it was not a real Ledger device. This failure led the researcher to open the device and examine its internal hardware and firmware.
Cloned Websites and Malicious Apps
Inside the shell, the researcher found a completely different chip, not the type used in a hardware wallet. The chip markings had been physically scraped off to hide identification. As per the researcher’s Reddit post, the device also contained a WiFi and Bluetooth antenna, which is not present in a real Ledger Nano S+. By analyzing the chip layout, they identified it as an ESP32-S3 with internal flash memory.
When the device booted, it initially masked itself as a Ledger Nano S+ 7704 with serial numbers and Ledger factory identity, but later revealed its true manufacturer as Espressif Systems.
After dumping the firmware and reverse engineering it, the researcher found that the PIN created on the device was stored in plaintext. The seed phrases from wallets generated on the device were also stored in plaintext. The firmware also contained multiple hardcoded domain references pointing to external command-and-control servers. These findings revealed that the device was designed to collect sensitive wallet data, with links to external servers.
The researcher also examined how the attack might work in practice. Although the hardware contained a WiFi and Bluetooth antenna, the firmware did not show evidence of wireless data transmission or WiFi access point connections. It also did not contain bad USB scripts for keystroke injection or terminal commands. Instead, the attack appeared to rely on user interaction outside the device itself.
According to them, the scam begins when a user scans a QR code included in the packaging. This QR code leads to a cloned website that looks like ledger.com. From there, users are prompted to download a fake “Ledger Live” application for Android, iOS, Windows, or Mac. The fake app shows a counterfeit Genuine Check screen that always passes. Users then create wallets and write down seed phrases, believing the setup is safe. Meanwhile, the fake app exfiltrates seed phrases to attacker-controlled servers.
The researcher decompiled the Android APK version of the fake Ledger Live app and found additional malicious behavior. The app was built with React Native and the Hermes engine. It was signed with an Android debug certificate instead of a proper signing key. It intercepted APDU commands between the app and device, made stealth requests to external servers, and continued running in the background for several minutes after being closed.
It
Source:Read More