NEW: Security researcher uncovers large-scale counterfeit Ledger Nano S Plus operation distributing compromised devices across multiple platforms.
A fake unit purchased from a Chinese marketplace contained modified hardware using an ESP32 chip instead of Ledger’s secure element, with seeds and PINs stored in plain text and sent to attacker-controlled servers.
The device ran fake firmware labeled “Nano S+ V2.1” and supported ~20 blockchains, draining any wallet initialized on it.
The seller also provided a malicious version of Ledger Live, built with React Native, signed with a debug certificate, and designed to intercept transactions and exfiltrate sensitive data to multiple command-and-control servers.
The campaign spans five attack vectors: compromised hardware, Android APKs, Windows EXE files, macOS DMG installers, and iOS apps distributed via TestFlight to bypass App Store review.
Experts warn that “genuine check” features can be bypassed if hardware is compromised at the source, making third-party marketplace purchases especially dangerous.
Users are urged to only buy hardware wallets directly from official sources, avoid devices with pre-generated seeds, and never enter recovery phrases into companion apps.
A full report has been submitted to Ledger’s security team, with further technical details expected after internal review.
