The results of Ledger's main information breach proceed to be felt nearly a 12 months later. One contributor to the r/ledgerwallet discussion board
The results of Ledger’s main information breach proceed to be felt nearly a 12 months later. One contributor to the r/ledgerwallet discussion board on Reddit, writing below the tag “u/jjrand” and self-identified as a kind of affected by the breach, has posted photographs of what seems to be a pretend Ledger Nano X pockets acquired within the mail.
Wrapped in seemingly genuine packaging, the system nonetheless included a number of tell-tale indicators that sparked the contributor’s suspicion. Most jarringly, the package deal got here along with a poorly written letter claiming to be signed by Ledger CEO Pascal Gauthier, telling its recipient:
“For safety functions now we have despatched you a brand new system you will need to swap to a brand new system to remain protected. There’s a handbook inside your new field you possibly can learn that to discover ways to arrange your new system. For that reason, now we have modified our system construction. We now assure that this kinda breach won’t ever occur once more.”
Except for the letter, u/jirand additionally acquired a pretend handbook, enclosing directions relating to the way to use the system and, crucially, asking that the person enter their non-public Ledger restoration phrase to attach their cryptocurrency pockets to the brand new {hardware}. On the premise of additional photographs displaying the system’s circuit board uploaded to Reddit, safety researcher Mike Grover advised BleepingComputer that the pretend system was tampered with:
“This appears to be a merely flash drive strapped on to the Ledger with the aim to be for some kind of malware supply. The entire parts are on the opposite aspect, so I can not affirm whether it is JUST a storage system, however […] judging by the very novice soldering work, it is in all probability simply an off the shelf mini flash drive faraway from its casing.”
Gover highlighted a bit of the again of the system displaying the flash drive implant, noting that “these four wires piggyback the identical connections for the USB port of the Ledger.”
On the premise of Gover and BleepingComputer’s evaluation, it seems that the heist is designed to intercept the person’s entered restoration phrase with a view to reroute the main points to a tool managed by the scammers, which they’ll then use to steal the related cryptocurrency holdings.
Associated: Ledger information leak: A ‘easy mistake’ uncovered 270Ok crypto pockets consumers
In an internet publish dated Might 10 however not cited by u/jirand, Ledger had already warned clients in opposition to the pretend letter and system, stating that:
“The pretend person information within the Nano’s field asks the person to attach the system to a pc. To initialize the system, the person is then requested to enter his 24 phrases in a pretend Ledger Reside utility. This can be a rip-off. Don’t join the system to your pc and by no means share your 24 phrases. Ledger won’t ever ask you to share your 24-word restoration phrase.”
Whereas the warning is included as a part of Ledger’s on-line record of phishing campaigns of which the corporate is conscious, it’s not clear whether or not the corporate has reached out to customers instantly, particularly these whose leaked particulars might go away them extra inclined to falling for the ruse.
Cointelegraph has reached out to Ledger for remark and can replace this text with additional data relating to this challenge.
As beforehand reported, different penalties of the info leak have included Ledger customers receiving emails from extortionists threatening bodily violence or different legal assaults. The unique information breach had occurred in June and July 2020 and included 1,075,382 e mail addresses from customers subscribed to the Ledger e-newsletter. It notably additionally concerned the leak of non-public data (together with dwelling addresses) related to 272,853 {hardware} pockets orders.