A Brazil-based safety researcher exposes a counterfeit Ledger Nano S+ operation utilizing malicious firmware and faux apps to empty wallets throughout 20 blockchains.
A Brazil-based safety researcher has uncovered one of the refined counterfeit Ledger Nano S+ operations ever documented. The faux machine, sourced from a Chinese language market, carried customized malicious firmware and a cloned app. The attacker instantly stole each seed phrase that customers entered.
The researcher purchased the machine on suspicion of value irregularities. Upon opening it, the counterfeit nature was apparent. As a substitute of discarding it, a full teardown adopted.
What Was Hidden Contained in the Chip
The real Ledger Nano S+ makes use of an ST33 Safe Ingredient chip. This machine had an ESP32-S3 as an alternative. The chip markings have been bodily sanded down to dam identification. The firmware recognized itself as “Ledger Nano S+ V2.1” — a model that doesn’t exist.
Investigators discovered seeds and PINs saved in plain textual content after conducting a reminiscence dump. The firmware beaconed to a command-and-control server at kkkhhhnnn[.]com. Any seed phrase entered into this {hardware} was exfiltrated immediately.
The machine helps roughly 20 blockchains for pockets draining. That’s not a minor operation.
5 Assault Vectors, Not One
The vendor bundled a modified “Ledger Reside” app with the machine. The builders constructed the app with React Native utilizing Hermes v96 and signed it with an Android Debug certificates. The attackers didn’t trouble acquiring a respectable signature.
The app hooks into XState to intercept APDU instructions. It makes use of stealthy XHR requests to tug information out silently. Investigators recognized two further command-and-control servers: s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn.
This isn’t restricted to Android. The identical operation distributes a .EXE for Home windows and a .DMG for macOS, resembling campaigns tracked by Moonlock below AMOS/JandiInstaller. An iOS TestFlight model additionally circulates, bypassing App Retailer evaluate solely — a tactic tied beforehand to CryptoRom scams. 5 vectors complete: {hardware}, Android, Home windows, macOS, iOS.
The Real Verify Can’t Save You Right here
Ledger’s official steerage confirms that real units carry a secret cryptographic key set throughout manufacturing. The Ledger Real Verify in Ledger Pockets verifies this key every time a tool connects. In accordance with Ledger’s assist documentation, solely a real machine can cross that examine.
The issue is easy. A compromise throughout manufacturing renders any software program examine ineffective. The malicious firmware mimics sufficient of the anticipated habits to proceed previous fundamental checks. The researcher confirmed this straight within the teardown.
Previous provide chain assaults focusing on Ledger customers have repeatedly proven that packaging-level verification alone is inadequate. Documented instances on BitcoinTalk file particular person customers shedding over $200,000 to faux {hardware} wallets from third-party marketplaces.
The place These Units Are Being Bought
Third-party marketplaces are the first distribution channel. Amazon third-party sellers, eBay, Mercado Livre, JD, and AliExpress all have documented histories of itemizing compromised {hardware} wallets, the researcher famous within the Reddit put up on r/ledgerwallet.
The worth level is intentionally suspicious. That’s the lure. A non-official supply doesn’t provide a reduced Ledger as a deal—it sells a compromised product to profit the attacker.
Ledger’s official channels are its personal e-commerce web site at Ledger.com and verified Amazon shops throughout 18 nations. Nowhere else carries any assure of authenticity.
What the Researcher Is Doing Subsequent
The group ready a complete technical report for Ledger’s Donjon group and its phishing bounty program, and it’ll launch the complete write-up after Ledger completes its inside evaluation.
The researcher has made IOCs obtainable to different safety professionals via direct messages. Anybody who bought a tool from a questionable supply can attain out for identification help.
The important thing crimson flags stay easy. A pre-generated seed phrase included with the machine is a rip-off. Documentation asking customers to sort a seed phrase into an app is a rip-off. Destroy the machine instantly in both case.