QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$34 000 USD
JANUARY 2018
GLOBAL
LEDGER
DESCRIPTION OF EVENTS
"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."
"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."
"The seller didn't "compromise the package", he opened a simple box, setup a new seed on the ledger with the pin "5555", made a convincing card to go in the box that includes the seed on a scratch off and directions to use, then put it all back in the box like it was never opened."
"My Ledger Nano S arrived today and I noticed some weird things about this one compared to youtube tutorials i've seen before purchasing that have me a little concerned."
"[A] scam Ledger Nano (bought on Ebay) came with a "scratch off" paper, to reveal the seed words. With a real Ledger Nano, the seed words are generated by the device." "Custom scratch offs... wow. I realize not much effort to do it, but enough to trick someone."
"The Ledger he bought was (almost certainly) the real device, not a fake. The scammer initialised the device and generated the seed on the device before sending it to the victim. The victim, not knowing any better, used this pre-made, compromised seed."
"Had [t]he victim reset the device when he got it (getting a new 24 word seed) then he would have been perfectly fine."
"The first is when I started the device for the first time, it didnt ask me if i wanted to set up the device as new or restore a old one. Not only that the PIN was set to 5555 as stated on the welcome card. It also didnt give me the seed words and they appear to be on a "scratch card" included with the device. The Paper work looks legit but I wiped the device and set it up again to be safe. It also works with the Chrome Apps fine."
"I have not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week. I do not know what do to as the total value is over £25000, has by currency been stolen or is it something else? I am at a lost here and right now feel so physical sick. Some please help."
Ledger responded to "Please contact us directly by PM with your email. We'll put you in touch with our General Counsel so we can help you file a formal criminal complaint and bring the eBay seller to justice."
Ledger hardware wallets were being resold through Ebay, with the company insisting these were safe to purchase. Criminal resellers initialized seed phrases on hardware wallets. and created fake instructions complete with scratch card seed words. This resulted in customers receiving official wallets with seed phrases already provided. It appears that at least one user got scammed and lost funds, though the details are not known.
HOW COULD THIS HAVE BEEN PREVENTED?
The safest strategy is to always buy the hardware wallet directly from Ledger and always be sure to initialize it with a newly generated seed phrase. While it is unlikely that someone who had tampered with a Ledger device would also send a seed phrase with the package, anything is possible.
When setting up a new wallet of any sort, it is also a good practice to only transfer a small quantity of funds first, transferring the rest if those funds remain safe. This minimizes damage from any theft incident involving immediate removal of the funds. Advanced users may also set up a multi-sig with hardware wallets from different manufacturers all required to sign the outgoing transaction. You should also test the wallet to make sure that you can withdraw funds and didn't make a mistake in the setup.
WARNING: Brutal scam. Guy buys a Ledger Nano wallet on Ebay, and it steals all his cryptocurrency ($34,000, which is his life's savings). : ethtrader (Feb 13)
All my cryptocurrency stolen : ledgerwallet (Feb 13)
moodyrocket comments on All my cryptocurrency stolen (Feb 19)
Litecoin / Block / 1344673 — Blockchair (Feb 20)
Cybercrooks Are Mailing Users Fake Ledger Devices To Steal Their Cryptocurrency (Mar 6)
@BTChip Twitter (Feb 13)
Nasty Ledger wallet scams. And how to avoid them. - Who Took My Crypto (Mar 20)
6 Ledger Wallet Scams That You Should Know About - CryptoSec (Mar 20)
https://medium.com/@briananderson_99612/scam-alert-a-cautionary-tale-on-the-purchase-of-cryptocurrency-wallets-from-third-party-vendors-5c300acd7d0e (Jun 26)
I am the guy that lost £25000 due to Ledger scam (not $34000 life savings) : Ripple (Jun 26)
WARNING: Brutal scam. Guy buys a Ledger Nano wallet on Ebay, and it steals all his cryptocurrency ($34,000, which is his life's savings). : btc (Aug 21)
All my cryptocurrency stolen : ledgerwallet (Oct 17)
WARNING: Brutal scam. Guy buys a Ledger Nano wallet on Ebay, and it steals all his cryptocurrency ($34,000, which is his life's savings). : Bitcoincash (Oct 17)
