Counterfeit Ledger wallets in supply chains

A hardware wallet is supposed to keep crypto keys offline, but OneKey said counterfeit Ledger devices are reaching buyers with tampered parts and fake setup software that empties wallets. (onekey.so) Ledger’s own setup process is built around a “Genuine Check,” a cryptographic test that confirms the device contains a real Ledger secure element, the tamper-resistant chip used to hold keys. Ledger said that check runs during onboarding and when the device connects to My Ledger in the Ledger Wallet app. (support.ledger.com) That safeguard has limits. Ledger said a genuine check can confirm the secure element is real, but it “cannot detect unauthorized physical modifications” if the original chip is still inside the device. (support.ledger.com) OneKey framed the problem as a supply-chain attack, not a normal remote hack. In a March 23, 2026 post, the company said the main risk for hardware wallets often sits “from ordering to transaction signing,” where a device, firmware, app, or connection can be swapped before the user ever starts setup. (onekey.so) That warning lands as fake Ledger software is already causing losses. On April 14, 2026, CoinDesk reported that a fake Ledger Live app on Apple’s App Store drained about $9.5 million from more than 50 victims between April 7 and April 13, citing blockchain investigator ZachXBT. (coindesk.com) Ledger tells users to buy through Ledger.com or its authorized reseller network, which includes official Amazon storefronts in countries including the United States, Canada, the United Kingdom, Germany, France, Japan and Australia. The company said devices bought elsewhere are “not necessarily dubious,” but should be checked carefully. (support.ledger.com) The company also says the app itself should come only from official sources. Ledger’s scam guidance says any site or app other than its official channels is fraudulent if it asks for the 24-word recovery phrase, and Ledger Wallet “will never request” that phrase. (support.ledger.com) A common version of the hardware scam starts even earlier. Ledger’s support page on “pre-seed device” scams says some counterfeit devices arrive already configured with a printed 24-word recovery phrase, letting attackers steal funds as soon as the victim deposits crypto. (support.ledger.com) This is not limited to Ledger. Kaspersky said in a 2023 case involving counterfeit Trezor wallets that attackers had replaced internal hardware and removed firmware verification, allowing them to take control of private keys while the wallet still appeared normal to the buyer. (kaspersky.com) Ledger’s advice is narrower than “trust the box.” The company says no packaging check, branding check, or seller rating can replace running the genuine check with authentic Ledger software before moving funds onto a device. (ledger.com) The practical test is simple: if a new device arrives preconfigured, points you to an unofficial download, or asks for a recovery phrase anywhere except on the hardware wallet itself during setup, Ledger says not to use it. (support.ledger.com)