Last week someone on the Ledger subreddit reported receiving an unsolicited package with a Ledger Nano X along with a letter from “the CEO” of Ledger. The scam tries to trick people into migrating their crypto holdings onto the new, modified device. Kraken Security Labs decided to explore this supposed phishing scam.
In the video above, our security team demonstrates how this scam was supposed to play out and, as with previous Ledger phishing attacks, will explain how best to avoid these attacks from happening to you.
As an important note, there are no flaws with the Ledger wallet or its firmware. The purpose of the video and blog is to simply increase awareness about this phishing attack, as this is often the single-best way to prevent crypto holders falling victim to these attempts.
The Letter and Device
The package was delivered in what appeared to be official Ledger shrink wrapping. But after opening the package, the recipient spotted an immediate red flag. The letter, which was purportedly from Ledger CEO Pascal Gauthier, was in poorly-written English and had errors throughout; hardly consistent with the communication clients usually receive from companies.
Having already heard about Ledger falling victim to a data breach in the past, the recipient felt increasingly suspicious. They decided to take the Ledger apart and posted pictures of the insides on Reddit. The community quickly discovered that a tiny USB stick had been secretly implanted into the device. Once plugged into a computer, the device would appear as a USB stick, containing a malicious application attempting to phish the user’s seed
You can also check out Bleepingcomputer’s full writeup of the attack here.
Rebuilding The Attack
Kraken Security Labs has rebuilt the attack to demonstrate how this highly sophisticated, real-world phishing attack works, so clients are prepared in case anyone should ever attempt this on them.
Kraken Security Labs ordered a Ledger Nano X wallet online. Once received, we used a simple tiny USB-stick as an implant, extracted from a promotional gift. After removing some padding, the USB stick fitted perfectly underneath the display of the wallet.
Next, just like the original attacker, we used magnet wire to connect the contacts of the USB-stick to the USB data-lines on the original wallet’s Printed Circuit Board (PCB), which connects all the device’s electrical components together.
To prevent conflicts between the USB-stick and the Ledger CPU we had to make additional modifications. Hardware security expert Mike Grover highlighted that the attackers had removed an oscillator – a component which basically allows the device to keep time – to prevent the CPU from interfering with the USB-stick. Our testing found that removing that component would disable the device, making the attack more conspicuous. Kraken Security Labs performed a slightly different modification so the wallet would work normally and would therefore raise less suspicion. This included allowing regular connections to the wallet via bluetooth. Additionally we found that the attackers performed further hardware modifications to make the USB connection work.
From the outside, it’s virtually impossible to distinguish a genuine Ledger wallet from a backdoored one. The USB-stick is hidden below the display, and the tiny wires connect it to the Ledger PCB. When plugged in, the wallet will boot, charge its battery, and appear like a completely unmodified Ledger.
When the device is plugged into a computer, it will appear as a USB stick, containing only a phony “Ledger Live” application that will try to trick the victim into entering their seed phrase, which will enable the attackers to drain funds from their wallet.
Reminder
When utilizing a hardware wallet, always make sure you order directly from the vendor and check that the packaging, including the cellophane wrapping, has not been tampered with.
If you are ever in doubt, contact the wallet vendor directly or speak to someone through the official support portal.
Stay up-to-date with the latest security alerts and best practices with Kraken Security Labs.
Discussion about this post