A cybersecurity researcher from Brazil has uncovered a large-scale phishing operation after purchasing what he believed to be a legitimate Ledger Nano S+ hardware wallet from a major Chinese marketplace. The findings, shared on Reddit by user u/Past_Computer2901, reveal a sophisticated supply-chain attack that targets first-time crypto users with counterfeit hardware and trojanized companion software.
Contrary to initial assumptions, the researcher did not purchase the device as a research project. It was bought for actual use, at a price matching the official Ledger store. The listing appeared legitimate, and the packaging looked authentic from the outside. It was only after Ledger’s built-in Genuine Check flagged the device as fake that the researcher decided to crack it open.
Inside the Counterfeit Device
According to a Reddit post, once opened, the device revealed clear signs of tampering. The chip markings had been physically scraped off to prevent identification. More tellingly, the device contained a WiFi/Bluetooth antenna—a component entirely absent from a genuine Ledger Nano S+. By measuring the chip’s package size and pin layout, the researcher identified it as an ESP32-S3 with internal flash, a generic IoT microcontroller manufactured by Espressif Systems.
When put into boot mode, the chip initially identified itself as “Nano S+ 7704” with a spoofed serial number and Ledger’s factory name. However, once the boot sequence completed, the mask dropped and revealed its true manufacturer: Espressif Systems. A full firmware dump confirmed the worst — the PIN the researcher had created and the seed phrases from two test wallets were all stored in plaintext, alongside multiple hardcoded references to external command-and-control (C2) servers.
How the Scam Actually Works
Despite the WiFi/Bluetooth antenna being present in the hardware, the researcher found no firmware functions related to wireless data exfiltration. The antenna exists but is unused. Similarly, there were no bad USB attack scripts that would inject keystrokes when the device is plugged in.
Instead, the attack relies on social engineering. Inside the packaging, a “Start Here” card with a QR code redirects users to a cloned website that mimics ledger.com. From there, the victim downloads a fake “Ledger Live” application available for Android, iOS, Windows, and macOS. The fake app shows a hardcoded “Genuine Check” screen that always passes, giving the user a false sense of security. Every seed phrase and PIN entered through the fake app is quietly exfiltrated to the attacker’s infrastructure.
The Fake Ledger Live App: More Than Just Seed Theft
The researcher decompiled the fake Ledger Live APK for Android and found capabilities that go well beyond stealing seed phrases. The app was built with React Native and the Hermes engine (v96) and signed with an Android debug certificate—an indication the attackers did not invest in proper code signing.
Key capabilities identified in the fake APK include:
- Intercepting APDU commands (the communication protocol between app and device) using XState state machine hooks
- Making stealth XHR requests to exfiltrate data to C2 servers
- Requesting location permissions and continuing to run in the background for approximately 10 minutes after the app is closed
- Monitoring wallet balances via public keys, allowing the attacker to know exactly when a victim deposits funds and how much
The researcher also confirmed that trojanized versions of the app exist for Windows (.EXE), macOS (.DMG), and iOS (distributed via Apple’s TestFlight, bypassing App Store review entirely).
C2 Infrastructure and Distribution Network
Three command-and-control domains were identified: kkkhhhnnn[.]com (extracted from firmware), s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn (extracted from the APK). All three were registered through the same registrar with matching nameserver infrastructure, linking them to a single operation.
The distribution was traced back to a shell company registered specifically to sell through the marketplace. The operation combines counterfeit hardware, trojanized multi-platform software, a cloned website, and a QR code redirect chain into a unified phishing pipeline.
Ledger’s Genuine Check Works — But That’s Not the Point
In an important correction to his initial post, the researcher clarified that Ledger’s official Genuine Check — the cryptographic attestation built into the real Ledger Live app — does successfully flag this counterfeit device. This is not a zero-day vulnerability or a flaw in Ledger’s security architecture.
The critical danger lies in the fact that the scam is designed so the victim never interacts with the real Ledger Live at all. A first-time crypto user unboxing this device is guided by the included QR code to a fake website, where they download the fake app. They never visit ledger.com, never run the real Genuine Check, and therefore never receive the warning.
Ongoing Investigation and Next Steps
The researcher has submitted a full report to Ledger’s security team. A deeper technical breakdown is expected once their analysis is complete. The Windows and macOS payloads still require full reversing, the iOS TestFlight app needs examination, and the C2 infrastructure requires deeper mapping.
Also Read: Russian Crypto Exchange Grinex Halts Operations After $13M Hack
