A counterfeit Ledger Nano S+ scam targeting cryptocurrency newcomers has exposed a sophisticated supply-chain attack that bypasses Ledger’s own security checks and uses convincing packaging to deceive buyers. Brazilian cybersecurity researcher Past_Computer2901 purchased a fake Ledger Nano S+ from a major Chinese marketplace at the official retail price, complete with authentic-looking packaging, only to discover the device was a trojanized clone designed to steal crypto assets.
Key Takeaways
- Counterfeit Ledger Nano S+ devices are sold at official prices on Chinese marketplaces with nearly identical packaging and branding.
- Fake wallets contain modified hardware: ESP32-S3 microcontroller and hidden WiFi/Bluetooth antenna instead of Ledger’s secure element.
- Device firmware stores PINs and seed phrases in plaintext with hardcoded references to attacker command-and-control servers.
- Scam includes fake Ledger Live app that passes security checks and shows false “Genuine Check” confirmations to capture seed phrases.
- Related counterfeit app drained over $9.5 million from 50+ victims across multiple platforms.
How the Counterfeit Ledger Nano S+ Scam Works
The counterfeit Ledger Nano S+ scam operates as a two-stage attack combining hardware tampering with a trojanized companion app. When connected to Ledger Live, the fake device fails the “Genuine Check” security verification, but most first-time users never reach this point. Instead, the packaging includes a QR code directing victims to download a fake Ledger Live app that mimics the genuine version perfectly. This fake app bypasses all security checks and displays a fraudulent “Genuine Check” pass, convincing users their device is authentic.
During the fake setup process, victims enter their seed phrase and PIN directly into the malicious app, which captures both credentials for the attacker. The counterfeit hardware itself contains firmware that stores these sensitive details in plaintext and communicates with attacker-controlled command-and-control servers. This dual-vector approach—combining physical counterfeiting with app-based social engineering—makes the scam especially effective against newcomers unfamiliar with Ledger’s genuine security workflows.
Counterfeit Ledger Nano S+ Hardware Reveals Sophisticated Manufacturing
The internal hardware modifications in the counterfeit Ledger Nano S+ scam reveal professional-grade counterfeiting. The researcher discovered that the device uses an ESP32-S3 microcontroller made by Espressif Systems (Shanghai-based) instead of Ledger’s proprietary secure element. The fake wallet also includes a WiFi and Bluetooth antenna absent from genuine Ledger devices, enabling wireless communication with attacker infrastructure. Chip markings were deliberately scraped off to obscure the true origin.
When booted in debug mode, the counterfeit device initially identifies itself with spoofed Ledger serial numbers and factory names, then reveals its true Espressif Systems origin. This suggests the attackers have access to manufacturing capabilities or partnerships with component suppliers in China. The firmware itself contains hardcoded references to attacker command-and-control servers, though the researcher found no evidence of active wireless exfiltration or BadUSB-style attacks at the time of analysis.
Why Ledger’s Security Checks Failed
Ledger’s “Genuine Check” feature, designed to verify hardware authenticity, failed to catch the counterfeit Ledger Nano S+ scam when devices were connected to the official Ledger Live desktop application. This failure exposes a critical weakness: Ledger’s validation system does not account for supply-chain compromises where counterfeit hardware is sold through legitimate-looking channels at official prices. A Ledger spokesperson acknowledged the issue, stating that “when purchasing from a marketplace, Ledger strongly encourages users to verify the identity of the seller” and to download apps only from official sources.
The responsibility thus shifts to end users—particularly risky advice for newcomers who lack the expertise to distinguish official retailers from counterfeiters. The fake Ledger Live app that passed Mac App Store review and drained $9.5 million from 50+ victims demonstrates how attackers exploit platform review processes alongside hardware counterfeiting. Ledger’s genuine check becomes useless once users are directed to a fake app that simulates the entire onboarding flow without triggering any security warnings.
Why First-Time Crypto Users Are the Primary Target
The counterfeit Ledger Nano S+ scam is deliberately engineered to catch newcomers who lack experience with hardware wallet setup workflows. Experienced users might notice the QR code in packaging pointing to an unofficial app download, or they might recognize that Ledger Live should not require manual seed phrase entry during initial setup. First-time buyers, by contrast, have no reference point—they trust the packaging, follow the QR code, and complete the setup flow believing they are using genuine Ledger software.
The scammers have optimized every detail: authentic-looking packaging, official retail pricing, a fake app that mimics Ledger’s UI exactly, and a false “Genuine Check” confirmation that appears to validate the device. Once the seed phrase is captured, attackers have full access to any crypto assets the victim deposits into the wallet. The $9.5 million drained across 50+ victims from related counterfeit app operations suggests this attack pattern scales effectively.
What Should Crypto Users Do Now?
Cryptocurrency users should purchase hardware wallets only from official Ledger channels or authorized retailers, not from third-party marketplaces or unknown sellers. Before using any Ledger device, verify the seller’s identity and confirm the purchase came directly from Ledger or a recognized authorized distributor. Never scan QR codes from packaging to download Ledger Live—instead, visit Ledger’s official website and download the app directly.
Users who suspect they may have purchased a counterfeit Ledger Nano S+ should not enter any seed phrases or PINs into the device. Instead, they should connect it to a secure computer and run Ledger Live from the official source to perform a genuine check. If the device fails verification, assume it is compromised and do not use it. For users who have already entered credentials into a counterfeit device, moving any crypto assets to a new, verified wallet immediately is essential.
Is the counterfeit Ledger Nano S+ scam still active?
Yes. The counterfeit Ledger Nano S+ scam continues to operate on major Chinese online marketplaces, where fake devices are listed at official retail prices with authentic packaging. The researcher’s findings were shared publicly on Reddit’s r/ledgerwallet community, but the underlying supply-chain attack persists because the counterfeit hardware is manufactured and distributed through channels outside Ledger’s direct control.
Can Ledger’s genuine check detect all counterfeit wallets?
No. Ledger’s genuine check fails when counterfeit hardware is paired with a fake Ledger Live app, as the app bypasses all verification steps and displays a false pass confirmation. The genuine check only works if users connect the device to the legitimate Ledger Live application, but the scam specifically directs users away from that path via QR code.
How much crypto has been stolen through fake Ledger devices and apps?
A related counterfeit Ledger Live app drained over $9.5 million from 50+ victims across Android, iOS, Windows, macOS, and hardware wallet vectors. The exact amount stolen through counterfeit hardware devices alone has not been publicly disclosed, but the researcher’s analysis suggests the scam is ongoing and actively targeting new users.
The counterfeit Ledger Nano S+ scam represents a critical vulnerability in the hardware wallet supply chain. Ledger’s security checks and official branding are only effective if users purchase from verified sources and download apps from official channels—but scammers have engineered the attack to bypass both safeguards. Until Ledger implements hardware-level authentication that cannot be spoofed by fake apps, or until marketplaces implement stricter seller verification, newcomers remain at significant risk. The responsibility for staying safe ultimately falls on users, which is an uncomfortable but unavoidable reality in the current threat landscape.
Edited by the All Things Geek team.
Source: Tom's Hardware
