Update (Dec. 19, 8:23 am UTC): This article has been updated to include comments from Ledger’s chief technical officer, Charles Guillemet.
A recent phishing scam targeting Ledger users has come to light, with scammers spoofing the crypto hardware wallet provider’s support emails in an attempt to trick users into revealing their wallet keys. The bogus emails claim that Ledger suffered a "recent data breach" and encourages recipients to verify their private seed phrase under the guise of needing to "safeguard" their assets.
How the Phishing Scam Works
The email appears to be from Ledger’s legitimate support email, but BleepingComputer reports it was actually sent through an email marketing platform. The email leads to a Ledger-branded website that appears legitimate and prompts visitors to "verify your Ledger," falsely claiming to check if their device has been compromised.
A prompt opens in the browser that asks users to enter their seed phrase, a combination of words that, if shared, would give the scammers full control over the wallet and allow them to drain its funds. The legitimate-looking Ledger-branded site asks visitors to enter their private wallet seed phrase.
Ledger’s Response
Ledger responded to an X user concerned about the emails, saying that "scam attempts are an unfortunate part of life online and no one is completely immune." The company emphasized that they will never ask for a user’s 24-word recovery phrase. "If someone does, it’s a scam," Ledger wrote.
Is Anyone Falling Victim to This Scam?
It remains unclear if any Ledger users have fallen victim to this phishing scam. Cointelegraph has contacted Ledger for comment and is awaiting their response.
The Ongoing Threat of Phishing Scams
This incident follows a Dec. 13 incident where another Ledger user reported losing $2.5 million worth of Bitcoin (BTC) and non-fungible tokens despite claiming to have never revealed their seed phrase online. However, Ledger and other blockchain security firms are adamant that the user was lured into a phishing scam in February 2022 and that funds were only recently wiped.
Comment from Ledger’s Chief Technical Officer
Ledger chief technical officer Charles Guillemet commented on the issue: "Phishing scams proliferate, and everyone should be aware of them." He added: "Ledger will never ask you to share your account details or 24 words. Your actions on your smartphones and laptops are never fully secure, and that’s why Ledger exists. The only way to secure your own digital assets is to clear-sign everything you do through inherently secure devices."
The Growing Threat of Phishing Scams
Phishing scams are expected to increase this holiday season amid more online transactions, security analysts say. Meta also recently sent a warning to its users, identifying several scam campaigns targeting holiday shoppers from fake Christmas gift box promotions, fraudulent holiday decoration sales and counterfeit retail coupons.
In fact, crypto scammers may be looking to make up ground this holiday season after phishing losses fell 53% month-on-month in November to $9.3 million. The codebase of Ledger’s connector library — a tool providing Ledger users access to decentralized finance apps — was compromised in December 2023, allowing an attacker to drain $484,000 from victims.
The Importance of Security Awareness
To protect themselves against phishing scams, users should be aware of the following:
- Be cautious when clicking on links or entering sensitive information online.
- Verify the authenticity of emails by contacting the company directly through their official channels.
- Never share your seed phrase with anyone, even if they claim to be from Ledger.
By staying informed and taking proactive measures to secure their digital assets, users can protect themselves against phishing scams and ensure the security of their wallets.
