Counterfeit Ledger Nano S+ Drains Wallets Across 20 Chains

A Brazil-based security researcher exposes a counterfeit Ledger Nano S+ operation using malicious firmware and fake apps to drain wallets across 20 blockchains.

A Brazil-based security researcher has exposed one of the most sophisticated counterfeit Ledger Nano S+ operations ever documented. The fake device, sourced from a Chinese marketplace, carried custom malicious firmware and a cloned app. The attacker immediately stole every seed phrase that users entered.

The researcher bought the device on suspicion of price irregularities. Upon opening it, the counterfeit nature was obvious. Instead of discarding it, a full teardown followed.

What Was Hidden Inside the Chip

The genuine Ledger Nano S+ uses an ST33 Secure Element chip. This device had an ESP32-S3 instead. The chip markings were physically sanded down to block identification. The firmware identified itself as “Ledger Nano S+ V2.1” — a version that does not exist.

Investigators found seeds and PINs stored in plain text after conducting a memory dump. The firmware beaconed to a command-and-control server at kkkhhhnnn[.]com. Any seed phrase entered into this hardware was exfiltrated instantly.

The device supports roughly 20 blockchains for wallet draining. That is not a minor operation.

Five Attack Vectors, Not One

The seller bundled a modified “Ledger Live” app with the device. The developers built the app with React Native using Hermes v96 and signed it with an Android Debug certificate. The attackers did not bother obtaining a legitimate signature.

The app hooks into XState to intercept APDU commands. It uses stealthy XHR requests to pull data out silently. Investigators identified two additional command-and-control servers: s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn.

This is not limited to Android. The same operation distributes a .EXE for Windows and a .DMG for macOS, resembling campaigns tracked by Moonlock under AMOS/JandiInstaller. An iOS TestFlight version also circulates, bypassing App Store review entirely — a tactic tied previously to CryptoRom scams. Five vectors total: hardware, Android, Windows, macOS, iOS.

The Genuine Check Cannot Save You Here

Ledger’s official guidance confirms that genuine devices carry a secret cryptographic key set during manufacturing. The Ledger Genuine Check in Ledger Wallet verifies this key each time a device connects. According to Ledger’s support documentation, only a genuine device can pass that check.

The problem is straightforward. A compromise during manufacturing renders any software check useless. The malicious firmware mimics enough of the expected behavior to proceed past basic checks. The researcher confirmed this directly in the teardown.

Past supply chain attacks targeting Ledger users have repeatedly shown that packaging-level verification alone is insufficient. Documented cases on BitcoinTalk record individual users losing over $200,000 to fake hardware wallets from third-party marketplaces.

Where These Devices Are Being Sold

Third-party marketplaces are the primary distribution channel. Amazon third-party sellers, eBay, Mercado Livre, JD, and AliExpress all have documented histories of listing compromised hardware wallets, the researcher noted in the Reddit post on r/ledgerwallet.

The price point is deliberately suspicious. That is the lure. A non-official source doesn’t offer a discounted Ledger as a deal—it sells a compromised product to benefit the attacker.

Ledger’s official channels are its own e-commerce site at Ledger.com and verified Amazon stores across 18 countries. Nowhere else carries any guarantee of authenticity.

What the Researcher Is Doing Next

The team prepared a comprehensive technical report for Ledger’s Donjon team and its phishing bounty program, and it will release the full write-up after Ledger completes its internal analysis.

The researcher has made IOCs available to other security professionals through direct messages. Anyone who purchased a device from a questionable source can reach out for identification assistance.

The key red flags remain simple. A pre-generated seed phrase included with the device is a scam. Documentation asking users to type a seed phrase into an app is a scam. Destroy the device immediately in either case.

The post Counterfeit Ledger Nano S+ Drains Wallets Across 20 Chains appeared first on Live Bitcoin News.