Counterfeit Ledger Alert
Researchers flagged a large‑scale counterfeit Ledger Nano S Plus that uses ESP32 hardware, fake firmware and companion apps to exfiltrate seed phrases and PINs, with attacks spanning hardware and APK vectors. The advisory urges buyers to source devices only from official channels because these fakes can compromise wallet recovery data. (x.com)
A hardware wallet is supposed to keep crypto recovery words offline, but researchers say counterfeit Ledger Nano S Plus devices are doing the opposite. (cointelegraph.com) The warning surfaced on April 16 after a researcher posting as “Past_Computer2901” on Reddit said a Nano S Plus bought from a Chinese marketplace failed Ledger Live’s built-in Genuine Check. The device had been listed at about the same price as Ledger’s official store and arrived in packaging that looked legitimate. (cointelegraph.com) After opening the wallet, the researcher reported scraped chip markings and a hidden wireless board with an antenna. Cointelegraph said the hardware pointed to an Espressif-made ESP32, a chip family sold with integrated Wi‑Fi and Bluetooth. (cointelegraph.com) (espressif.com) A genuine Ledger Nano S is built around a secure element, a dedicated chip meant to isolate secret keys from the rest of the device. Ledger’s developer documentation says the Nano S architecture uses an ST31 secure element and BOLOS, Ledger’s operating system. (github.com) The counterfeit worked as part of a two-step trap, according to the researcher’s account summarized by Cointelegraph. A QR code in the box sent buyers to a fake Ledger Live download, and that app then displayed a bogus Genuine Check before asking for seed phrases that could empty wallets later. (cointelegraph.com) Ledger says its real software will not ask for a 24-word recovery phrase except on the device itself during setup or restore. The company’s support page, updated March 31, 2026, says any app, website, caller or message asking for that phrase is a scam. (support.ledger.com) Ledger also tells users to verify origin, packaging and the initial state of the device, then run Genuine Check in Ledger Live. Its support guide says those steps are meant to confirm a wallet is genuine and not counterfeit. (support.ledger.com) The fake-device report landed amid a broader run of Ledger-themed phishing. Ledger’s scam tracker lists ongoing fake apps, fake websites and physical-mail campaigns, and The Block reported in April 2025 that scammers were mailing letters that asked customers for seed phrases under the guise of a security upgrade. (ledger.com) (theblock.co) The practical advice in this case is narrow and old-fashioned: buy the wallet from Ledger or an authorized seller, install Ledger Live only from Ledger’s site, and stop immediately if the device fails Genuine Check. In a product built to protect one secret, the recovery phrase is still the one thing an attacker needs. (cointelegraph.com) (support.ledger.com)
