A Brazilian cybersecurity researcher has raised the alarm over a sophisticated counterfeit Ledger device scam designed to steal users’ crypto.
Posting under the name “Past_Computer2901” on Reddit’s “ledgerwallet” forum, the researcher said they purchased what appeared to be a genuine Ledger device, only to discover it was a highly convincing fake intended to compromise wallet security.
“This isn’t meant to cause panic, but rather to serve as a serious warning — I’m honestly still a bit shaken by the sheer scale of this operation,” they wrote.
The incident highlights increasingly advanced tactics used by scammers targeting self-custody users, including supply chain compromises, social engineering, and approval scams.
Earlier this month, more than 50 victims were tricked into revealing their seed phrases through a fake Ledger Live app that slipped onto the Apple App Store via a bait-and-switch tactic, resulting in losses of $9.5 million before it was removed.
How the counterfeit Ledger scam works
The researcher said they bought a Ledger Nano S Plus from a Chinese marketplace at a price similar to the official store, with packaging and listing that appeared legitimate.
However, when the device was connected to the official Ledger Live app—already installed on their computer—it failed the built-in “Genuine Check.”
Upon opening the device, they found altered hardware and firmware designed to capture sensitive wallet data.
According to the researcher, the scam primarily targets first-time users. A QR code included in the box typically directs victims to download a malicious version of Ledger Live, which displays a fake “Genuine Check.”
Users who follow the setup process risk exposing their seed phrases, allowing attackers to drain funds at any time.
“Stay safe out there. Only download Ledger Live from ledger.com. Only buy hardware from ledger.com,” the security researcher said.
“If your device fails the Genuine Check — stop using it immediately.”
After disassembling the device, the researcher found clear evidence of tampering, including scraped chip markings and the presence of a Wi-Fi and Bluetooth antenna embedded inside the unit.
Authentic Ledger devices are designed to keep private keys fully offline, making such components a major red flag.
Digging deeper, the researcher examined the firmware by putting the chip into boot mode. Initially, the device identified itself as a Nano S Plus 7704 with a serial number.
However, once the boot process completed, a different manufacturer appeared—Espressif Systems, a Shanghai-based, publicly listed semiconductor company—further confirming the device had been altered.
