Counterfeit Ledger Hardware Wallets Sold on Chinese Marketplaces Steal Cryptocurrency
A Brazilian cybersecurity researcher has uncovered a sophisticated supply chain scam involving counterfeit Ledger Nano S Plus hardware wallets sold through Chinese marketplaces. These devices are engineered to silently drain cryptocurrency across approximately 20 blockchains.
The researcher, known as u/Past_Computer2901 on Reddit, purchased a device that appeared authentic, with packaging and pricing matching the official Ledger store. Suspicion arose when the device failed Ledger’s built-in Genuine Check upon connection to a legitimate Ledger Live application, prompting a physical teardown.
Inside, the original secure element chip was replaced with an ESP32-S3 microcontroller, a generic IoT component manufactured by Shanghai-based Espressif Systems. The chip’s markings were physically scraped off to prevent identification, and the device contained a WiFi/Bluetooth antenna absent in genuine Ledger Nano S Plus units. During boot mode, the chip initially spoofed itself as a legitimate Ledger product but revealed its true identity as Espressif Systems upon completion.
A full firmware dump confirmed that every PIN entered and seed phrase generated on the device was stored in plaintext and transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com. The fake firmware was labeled “Nano S+ V2.1,” a version that does not exist in Ledger’s official firmware lineup, effectively impersonating a product release to instill false confidence. The operation was designed to drain wallets across approximately 20 different blockchain networks simultaneously.
The counterfeit device shipped with a QR code inside the box, directing buyers to a cloned phishing website where they would download a trojanized version of the Ledger Live app. This fake app contained a hardcoded “Genuine Check” that always returned a success screen, ensuring that first-time crypto users would not receive any warning that their device was compromised. The malicious app was not properly signed and silently exfiltrated wallet data upon use.
The scope of the operation extends beyond a single fake app. The threat actors have deployed malware across Android, Windows, macOS, and iOS, with the iOS variant distributed through Apple’s TestFlight program to bypass App Store review requirements. Infrastructure analysis revealed three C2 servers, a cloned website, and a QR code redirect chain, all registered under a shell company based in Shanghai.
Critically, the researcher clarified that Ledger’s official cryptographic Genuine Check does detect this counterfeit device, but only when using the real Ledger Live downloaded from ledger.com. The scam’s effectiveness relies on ensuring the victim never interacts with the legitimate application. The researcher has submitted a full technical report to Ledger’s security team, and a deeper analysis is expected following their review.
How to Stay Protected:
– Purchase from Official Sources: Buy only from Ledger’s official website (ledger.com) or verified authorized resellers. Avoid third-party marketplaces or auction sites.
– Download Software from Official Channels: Download Ledger Live exclusively from ledger.com. Do not scan QR codes from inside the box to obtain software.
– Verify Device Authenticity: Run the Genuine Check immediately upon first connecting any hardware wallet.
– Be Cautious of Firmware Versions: Treat any firmware version not listed on Ledger’s official website as suspicious.
By adhering to these guidelines, users can significantly reduce the risk of falling victim to such sophisticated scams.
