Important: A security researcher reveals a large-scale operation for selling fake and compromised Ledger Nano S Plus devices distributed across multiple platforms.

It was found that a counterfeit device purchased from a Chinese marketplace contains modified hardware that uses an ESP32 chip instead of Ledger’s original security chip, with recovery phrases (Seeds) and identification numbers (PIN) stored as plain text, and then sent to servers controlled by the attacker.

The device runs a counterfeit firmware named Nano S+ V2.1 and supports about 20 blockchain networks, where funds are pulled from any wallet created on it.

The seller also provided a malicious version of the Ledger Live app built using React Native and signed with the (Debug Certificate), and designed to intercept transactions, steal sensitive data, and send it to multiple command-and-control servers.

The campaign includes five different attack methods:
- Compromised hardware devices.
-: Android applications in APK format.
- Windows files in EXE format.
- macOS installers in DMG format.
- iOS applications distributed via TestFlight to bypass App Store review.

Experts warn that the “Verify Authenticity” feature can be bypassed if the hardware is compromised at the source, making purchases from external markets or unofficial sellers extremely risky.

Users are advised to:
- Only buy hardware wallets from official sources.
- Avoid devices that contain pre-generated recovery phrases.
- Never enter recovery phrases into companion apps.

A full report has been submitted to Ledger’s security team, and additional technical details are expected to be published after the internal review ends
$BTC
#