Fake hardware wallets on the rise

A hardware wallet is supposed to be the crypto version of a house safe: the secret keys stay inside the device, and every transfer has to be approved on its own screen instead of on a hacked laptop. Trezor says its devices keep crypto “100% offline,” and Ledger warns it will never ask for the 24 words of a recovery phrase. (trezor.io) (ledger.com) That protection breaks if the device is fake before it ever reaches you. Kaspersky documented a counterfeit Trezor Model T bought through a classifieds marketplace that looked sealed, worked normally, and still let thieves drain funds without the victim even plugging it in on the day of the theft. (kaspersky.com) The trick was not a smashed box or a missing sticker. Kaspersky found the fake wallet showed a bootloader version 2.0.4 that Trezor had never released, and Trezor’s own change history says that version number was “skipped due to fake devices.” (kaspersky.com) Inside, the counterfeit used a different microcontroller, which is the main chip that runs the wallet, like swapping the lock inside a safe while keeping the same door. Kaspersky says the attackers replaced the original STM32F427 chip with a cheaper STM32F429 and rewired the board to make the fake parts fit. (kaspersky.com) That chip swap mattered because the fake firmware could bypass the protections the real device relies on. Kaspersky says the counterfeit wallet generated seed phrases from a fixed list of only 20 phrases, so the attacker could wait for deposits and then recover the wallet with one of those pre-known backups. (kaspersky.com) A seed phrase is the master backup for a wallet: a short list of words that can rebuild the whole account on another device. Ledger’s warning is blunt: anyone who gets those 24 words can take the assets, which is why a preset or preprinted seed is not a convenience feature but a built-in theft mechanism. (ledger.com) (kaspersky.com) Real hardware wallets are designed so you create the seed yourself during setup and confirm actions on the device. Trezor says its packaging and device security seals protect integrity, and its current Safe 3 uses on-device confirmation plus a certified secure element chip rated EAL6+, which is a security certification level used for tamper-resistant hardware. (trezor.io) That is why the boring part of the buying process now matters as much as the cryptography. Kaspersky’s advice is to buy hardware wallets only from official and trusted sources, because a device can look authentic on the outside while the compromise sits at the component level inside the case. (kaspersky.com 1) (kaspersky.com 2) The uncomfortable part for distributors and resellers is that this is a supply-chain problem, not just a scam-listing problem. If attackers can slip modified units or substituted chips into legitimate channels, a seller can end up moving what looks like commodity electronics and actually be shipping instant wallet compromises. (kaspersky.com)