Sophisticated Supply Chain Attack Targets Crypto Users with Counterfeit Ledger Wallets
A Brazilian cybersecurity researcher uncovered a large-scale supply chain scam involving counterfeit Ledger Nano S Plus hardware wallets sold on a Chinese marketplace. The fake devices, designed to drain cryptocurrency across 20 blockchains, were engineered with tampered hardware, trojanized software, and cross-platform malware creating a seamless phishing pipeline.
The researcher, u/Past_Computer2901, purchased the device at the same price as the official Ledger store, with packaging that appeared authentic. Suspicion arose only after the device failed Ledger’s Genuine Check when connected to a legitimate Ledger Live installation. A physical teardown revealed the original secure element chip had been replaced with an ESP32-S3 microcontroller, a generic IoT component from Espressif Systems, with its markings scraped off to avoid detection. The counterfeit device also included a WiFi/Bluetooth antenna, absent in genuine Ledger wallets.
Firmware analysis exposed the full extent of the compromise: every PIN entry and seed phrase was stored in plaintext and transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com. The fake firmware, labeled "Nano S+ V2.1" a version that doesn’t exist in Ledger’s official releases was designed to impersonate a legitimate update.
The scam extended beyond the hardware. The counterfeit device shipped with a QR code directing users to a cloned phishing site, where they downloaded a trojanized Ledger Live app. The fake app bypassed security warnings with a hardcoded "Genuine Check" that always returned a success screen, ensuring victims remained unaware of the breach. The malware also exfiltrated wallet data upon use and was distributed across Android, Windows, macOS, and iOS, with the iOS variant spread via Apple’s TestFlight to evade App Store reviews.
Infrastructure analysis linked the operation to a Shanghai-based shell company, with three C2 servers, a cloned website, and a QR code redirect chain. While Ledger’s official Genuine Check can detect the counterfeit device, the scam’s success relied on victims never using the legitimate Ledger Live app.
The researcher submitted a full technical report to Ledger’s security team, with further analysis pending. The attack has already resulted in confirmed financial losses exceeding $9.5 million across more than 50 victims, marking one of the most advanced hardware wallet supply chain attacks documented to date.
Source: https://cybersecuritynews.com/fake-ledger-hardware-wallets/
Espressif Systems cybersecurity rating report: https://www.rankiteo.com/company/espressif-systems
Ledger cybersecurity rating report: https://www.rankiteo.com/company/ledgerhq
"id": "ESPLED1776435883",
"linkid": "espressif-systems, ledgerhq",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '50+ confirmed victims',
'industry': 'Cryptocurrency',
'location': 'Global (primarily victims using '
'counterfeit devices)',
'name': 'Ledger',
'type': 'Hardware Wallet Manufacturer'}],
'attack_vector': ['Hardware Tampering', 'Trojanized Software', 'Phishing'],
'data_breach': {'data_encryption': 'No (stored in plaintext)',
'data_exfiltration': 'Yes (to attacker-controlled C2 servers)',
'personally_identifiable_information': 'Yes (wallet data, '
'seed phrases)',
'sensitivity_of_data': 'High (cryptocurrency wallet '
'credentials)',
'type_of_data_compromised': ['PIN entries',
'Seed phrases',
'Wallet data',
'Personally Identifiable '
'Information (PII)']},
'description': 'A Brazilian cybersecurity researcher uncovered a large-scale '
'supply chain scam involving counterfeit Ledger Nano S Plus '
'hardware wallets sold on a Chinese marketplace. The fake '
'devices, designed to drain cryptocurrency across 20 '
'blockchains, were engineered with tampered hardware, '
'trojanized software, and cross-platform malware creating a '
'seamless phishing pipeline.',
'impact': {'brand_reputation_impact': 'Severe (counterfeit devices, phishing '
'pipeline)',
'data_compromised': ['PIN entries', 'Seed phrases', 'Wallet data'],
'financial_loss': '$9.5 million',
'identity_theft_risk': 'High (PII and wallet data exfiltration)',
'operational_impact': 'Cryptocurrency theft across 20 blockchains',
'payment_information_risk': 'High (cryptocurrency theft)',
'systems_affected': ['Ledger Nano S Plus (counterfeit)',
'Ledger Live (trojanized)',
'Cross-platform malware (Android, Windows, '
'macOS, iOS)']},
'initial_access_broker': {'backdoors_established': ['ESP32-S3 microcontroller',
'WiFi/Bluetooth antenna',
'Trojanized firmware'],
'entry_point': 'Counterfeit Ledger Nano S Plus '
'hardware wallets',
'high_value_targets': 'Cryptocurrency users'},
'investigation_status': "Ongoing (technical report submitted to Ledger's "
'security team)',
'motivation': 'Financial Gain',
'post_incident_analysis': {'root_causes': ['Counterfeit hardware supply chain',
'Trojanized software distribution',
'Phishing via cloned websites']},
'references': [{'source': 'u/Past_Computer2901 (Brazilian cybersecurity '
'researcher)'}],
'threat_actor': 'Shanghai-based shell company',
'title': 'Sophisticated Supply Chain Attack Targets Crypto Users with '
'Counterfeit Ledger Wallets',
'type': 'Supply Chain Attack',
'vulnerability_exploited': ['Counterfeit Hardware',
'Fake Firmware',
'Malicious QR Code',
'Cloned Phishing Site']}