A Brazil-based security researcher bought what looked like a fake Ledger wallet from a Chinese marketplace and found something no previous public investigation had fully mapped: a coordinated five-platform operation built to drain crypto across roughly 20 blockchains. The price on the listing was suspiciously low. The packaging passed a quick glance. The internals told a completely different story.

source:Reddit

Inside was an ESP32-S3 chip, the kind found in cheap IoT gadgets, not a crypto security device. According to u/Past_Computer2901’s detailed breakdown posted on the r/ledgerwallet subreddit, the chip’s markings had been physically sanded down to obscure its identity. The firmware declared itself “Ledger Nano S+ V2.1” — a version that does not exist. Every seed phrase and PIN entered into the device was stored in plain text and sent immediately to a command-and-control server at kkkhhhnnn[.]com.

The legitimate Ledger Nano S+ uses an ST33 Secure Element, a certified security chip purpose-built for private key storage. What the researcher received was not close to that.

When the App Comes With the Device

The seller also provided a modified version of Ledger Live, Ledger’s official wallet management app. The fake copy was signed with an Android debug certificate, the kind developers use during testing. The attackers did not bother with proper signing. It hooked into XState to intercept APDU commands, the protocol hardware wallets use to communicate with software. Data was pulled out through background XHR requests to two additional C2 servers: s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn.

That Android app was not where the operation stopped. The researcher traced the same group distributing a Windows .EXE, a macOS .DMG file resembling campaigns tracked by Moonlock under the AMOS and JandiInstaller names, and an iOS TestFlight link. TestFlight lets developers share apps before App Store review, a tactic previously documented in CryptoRom fraud cases. Five distinct delivery channels: hardware device, Android, Windows, macOS, iOS.

According to @IntCyberDigest on X, “The researcher has sent a full report to Ledger’s security team. A deeper technical breakdown is expected once they’ve finished their analysis.”

The scale is what stands out here. Earlier documented cases of fake Ledger hardware, including incidents referenced on BitcoinTalk, involved users losing over $200,000 through compromised devices from third-party sellers. Those were largely single-vector attacks: a modified physical device. This operation runs all five simultaneously.

What Ledger Flags on Its Own Phishing Page

Ledger’s official phishing campaigns page documents a range of ongoing impersonation tactics, including fake emails, physical letters prompting users to scan QR codes, and phone calls from people claiming to be Ledger or CoinCover staff. The page notes that Ledger will never contact users by phone, text, WhatsApp, or Telegram. It also lists four authentic Ledger email domains: @ledger.fr, @ledger.com, @ledgerwallet.com, and @ledger.zendesk.com.

The company explicitly states it cannot and will not block or deactivate a user’s device, a claim scammers regularly use to pressure victims into entering their 24-word recovery phrase.

Ledger’s genuineness verification guide outlines how real devices can be authenticated through Ledger Wallet’s cryptographic Genuine Check, which confirms the device holds a secret key set at the manufacturing stage. The researcher’s note in the Reddit post cuts through that: if the hardware is compromised before it reaches the buyer, that software check can be bypassed entirely by malicious firmware.

The Specific Signals to Watch For

Any device that arrives with a pre-written recovery phrase is not safe. Any setup guide that instructs the user to type their seed into an app is a scam. Ledger does not include a PIN in packaging, does not generate a seed phrase for the user, and has no mechanism to block or deactivate a device remotely.

The only safe purchase channels are Ledger.com directly or official Amazon storefronts in countries where Ledger operates them. Third-party listings on AliExpress, JD, Mercado Livre, eBay, and Amazon third-party sellers carry real risk. The documented losses tied to compromised devices from those channels are not hypothetical.

The researcher told the community he has submitted a full report to Ledger’s Donjon security team and phishing bounty program. A technical write-up with full indicators of compromise is expected once Ledger finishes its internal review. Researchers looking to cross-reference IOCs were invited to reach out directly through the Reddit post.