{"id":24575,"date":"2025-08-21T07:58:50","date_gmt":"2025-08-21T11:58:50","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=24575"},"modified":"2025-08-21T16:04:41","modified_gmt":"2025-08-21T12:04:41","slug":"ledger-vulnerability-phishing-scheme-2","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/ledger-vulnerability-phishing-scheme-2\/24575\/","title":{"rendered":"Phishing scam targeting Ledger wallet owners"},"content":{"rendered":"

Until recently, scammers have mainly focused on targeting cryptocurrency wallets owned by individual users. However, it appears that businesses are increasingly using cryptocurrencies, so attackers are now trying to get their hands on corporate wallets as well. You don\u2019t have to look far for examples. The recently studied Efimer<\/a> malware, which was distributed to organizations, is capable of swapping cryptocurrency wallet addresses in the clipboard. So we weren\u2019t really surprised to observe cryptocurrency phishing campaigns directed at both individual and corporate users. What did come as a surprise though was the sophistication of the cover story and overall sophistication of the scam.\n<\/p>\n

The phishing scheme<\/h2>\n

\nThis particular scheme targets users of Ledger hardware cryptocurrency wallets \u2014 specifically the Nano X and Nano S Plus. The scammers send out a phishing email with a lengthy apology. The email claims that, due to a technical flaw, segments of the users\u2019 private keys were transmitted to a Ledger server; the data was well-protected and encrypted, but the \u201ccompany\u2019s team\u201d had discovered a highly complex data breach. The attackers\u2019 fake story goes on to state that they\u2019d exfiltrated fragments of keys, and then used extremely advanced methods to decrypt and reconstruct some of them \u2014 \u201cleading to the theft of crypto assets\u201d. Users are then advised to prevent their crypto wallets from being compromised through the same vulnerability, with the attackers recommending immediately updating the firmware of their device.<\/p>\n

\"Phishing<\/a>

Phishing prompt to update the firmware<\/p><\/div>\n

It\u2019s a compelling story, to be sure. But if you apply some critical thinking, a few inconsistencies crop up. For example, it\u2019s unclear how a fragment of a key could be used to reconstruct the whole thing. It\u2019s also completely baffling what these \u201cadvanced decryption methods\u201d are, and how Ledger representatives supposedly know about them.<\/p>\n

The email itself is crafted extremely carefully: there\u2019s almost nothing to nitpick. It wasn\u2019t even sent with the help of standard scammer tools; instead, the attackers used a legitimate mailing service, SendGrid. This means the emails have a good reputation and often bypass anti-phishing filters. The only red flags are the sender\u2019s domain and the domain of the website users are told to visit for the firmware update. Needless to say, neither has any connection to Ledger.\n<\/p>\n

The scammers\u2019 website<\/h2>\n

\nThe website is also very clean and professionally designed \u2014 if you ignore the completely irrelevant domain it\u2019s hosted on, that is. It\u2019s possible the site serves multiple scams, as there\u2019s no mention of a firmware update, and it lists far more devices than the email does. The website even has a functional support chat! While that\u2019s most likely a chatbot, it does respond to questions and gives seemingly helpful advice. The whole point of the site is to get you to enter your seed phrase after you select your device.<\/p>\n

\"The<\/a>

The interface for entering seed phrases<\/p><\/div>\n

A seed phrase is a randomly generated sequence of words used for recovering access to a cryptocurrency wallet. And as you may have guessed, it should not be entered, as anyone who knows it can gain full access to your crypto assets.<\/p>\n

On a separate note, when you search for similar sites on Google, you\u2019ll find a surprising number of similar fake pages. This type of scam is clearly quite popular.\n<\/p>\n

How to stay out of harm\u2019s way?<\/h2>\n

\nWhether you manage your crypto assets on your own devices or simply use regular online banking apps, it\u2019s crucial to stay informed about the latest tactics attackers are using. For company employees, we recommend specialized training tools to boost their awareness of modern cyberthreats. One effective way to do this is by using the Kaspersky Automated Security Awareness Platform<\/a>. For home users, our blog<\/a> is a great resource for learning how to spot phishing scams.<\/p>\n

Additionally, we recommend installing a robust security solution on both the personal<\/a> and work<\/a> devices you use for financial transactions. These solutions can both block access to phishing sites and prevent data breaches.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Attackers spin poignant tales of lost private keys as they try to phish seed phrases. <\/p>\n","protected":false},"author":2598,"featured_media":24579,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2641,19,2659],"class_list":{"0":"post-24575","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-crypto-wallets","11":"tag-email","12":"tag-signs-of-phishing"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/ledger-vulnerability-phishing-scheme-2\/24575\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/ledger-vulnerability-phishing-scheme-2\/29466\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/ledger-vulnerability-phishing-scheme-2\/29407\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/ledger-vulnerability-phishing-scheme-2\/54182\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/ledger-vulnerability-phishing-scheme-2\/35338\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/ledger-vulnerability-phishing-scheme-2\/34969\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/signs-of-phishing\/","name":"signs of phishing"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24575","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=24575"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24575\/revisions"}],"predecessor-version":[{"id":24581,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/24575\/revisions\/24581"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/24579"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=24575"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=24575"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=24575"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}