APRIL 2019




"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."


"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."


"My [Ledger] device was new. My 24 words only [I] knew and only on paper. And my device was only used to receive funds and store" "in Manchester UK." "24 passwords, written on paper, stored in a safe at a different address, nano was only plugged in to receive crypto and hold." "24 words are on paper and stored in a safe. Ledger itself is stored safely." "24 words on paper and in a safe not at my house. Password is unique to me. Only [I] know." "[P]ut alot of time and effort into building this up." "Ledger was used to only store. Passwords are written on paper [and] stored in a safe."


"Did you purchase you ledger from the manufacturer?" "I[']ve not missed a beat. Purchase, setup ect has been on the ball." "I use a laptop, desktop and my mining rig. That [I've] built myself. I know exactly what's on them."


"[I]'ve been over the process send/receive and for all of it you need to plug the thing in. [I'm] lost. [I've] not had it in for a while. [F]irst time today and it needed an update. [T]hat's how long its been off for." "I've used the thing flawlessly for a long time [with] no issues."


"I was externally hacked at the end of [A]pril." "At 20:58 my @Ledger S was hacked last night." "[B]y far been the toughest day in crypto space for me, let's hope tomorrow bring some positive news." "[S]pent all day chasing shadows." "I was cleaned out for 1000s mate. Its broken me! Was sold as the most secure investment [I] could make in this space. And then [I] was hacked. Thought [I] was the only one."


Regarding the possiblity of malware that locally replaces the Ledger Live desktop application. "This didnt happen to me but [I] knew of it. I was just offline and then gone!" "[H]ave never given away my details." "I didn't know about that till after [I] started sharing my story. I would never give away any information without someone showing me a badge!"


"[A]ll funds sent to 2 @binance wallets." "I literally opened my manager the morning after it happened! It was purely coincidental [I] found out so quick!" "I can see everything, apparently btc and Eth have ended up on @binance." "Took them 9 mins to clean me out." "Police said the hack originated from the Russia area of the world." "[T]he Cyber police unit concluded the origin of my recent hack and the loss of all my assets to my Ledger Nano S was Russian based."


"The movement of my funds was not authorised by me. So, theft. How it was done [I] dont know. Only constant was the ledger manager on my laptop." "The loss hurt. The potential for what could be was worse to deal with."


"Yes I will" "Contact binance with the wallet address. They will freeze those accounts. Contact police and report the theft. Binance will not deal with you only police from that point on."


"Was advised to report to action fraud, but was working to a 72 hour window. So went to the police station and spoke to the officer at the desk. He had no idea what i was talking about but did make a few calls. I received a call within a couple of hours from cyber team."


"Crypto and cyber crime is huge in the uk. They have a designated force who deal with all this. Think its also part of the fraud teams." "I have contacted the police/Fraud team as req[uired] and reported this to binance, [I'm] waiting on a reply from them to see what to do next." "All information has been passed to cyber crime specialist at the police. They have a direct contact at all these exchanges." "[I] wait......."


"Binance have frozen the wallets for 72hrs." "As it stands. Binance have frozen the suspect accounts. Binance support have not responded since 1am UK time." "As it stands atm, binance still have the account frozen that my crypto was sent to. They will not share any info [because] they are not my accounts."


"@ledger, we're seeing more and more cases of this theft. Can you please take a look into this and instill confidence in your product. Maybe make the 25th word mandatory when setting up a new device." "I'm done with playing nice. Product has security floors. It's that simple and evident!"


"@Ledger support none assistant." "Ledger dismissed the idea that the nano can be hacked. And the passwords are my responsibility. Thats fair but passwords are on paper in a safe and hack was [r]ussian. I'm in the uk!"


"As underlined in article 8 of our Terms and Conditions we would like to remind you that users of Ledger products are solely responsible for the way they use their devices and protect their data and information. Users must take all necessary steps to ensure that their PIN code and their 24-words recovery phrase remain confidential and are stored in a secure location, away from prying eyes."


"We have answered and [are] waiting for more information. The date of the hack coincides with the social engineering malware report we got (asking to enter the 24 words on the computer), so that's a potential answer."


"So when are you going to post a picture of the funds leaving your ledger live. If not you are lying." "Sharing an experience with a so called community on Twitter has its pro and cons. This has become apparent in the last few days. I'm not here to make waves just tell a story and share. [I'm] just [an] average Jo! Trying to get back what's mine and what [I've] worked for!"


"All in the hands of the police. Meeting them in the morning. Will have more details in 24 hrs." "Still waiting for confirmation of my funds.. but, Ukrainian bank accounts and russia ips and some dodgy bitcoin exchange.. fair play to the police.. [I've] learnt a lot in the last few hours." "Ip addresses from [R]ussia, dark web bitcoin sites and Ukrainian banks accounts."


"Absolutely over the moon! Outstanding work by DC CG at the cyber crime unit. He has been brilliant! Tracked, traced and returned almost every penny of my stolen crypto. Difficult few weeks but big thanks to @MerPolChiefCon for the work his team does. Can't thank you enough!" "Been tough, but got it sorted in the end." "My xrp was sent to an exchange. Police dealt direct with them throughout the investigation." "All my xrp back in the bag!!"


"Laptop is in the process of a full format. And the ledger device will be left in a box and not used." "Just need a safe cold wallet now. Currently sitting an exchange."


"All my #xrp is now living on my new @coolwallet. Simple set up, everything written on paper again and now stored in a safe again! Just me in the house so no prying eyes..... again."

The user Guy_Parker had significant cryptocurrency holdings stored on a Ledger hardware wallet. The exact amount is not disclosed though he mentions it is thousands of dollars. Funds were transferred from the Ledger to Russian bad actors. The exact nature of the exploit is not disclosed, however there are some possibilities.


Guy_Parker mentioned that it had been so long since he had last used the Ledger, that he had to update the software, and it was at this time that the funds went missing. There was a Ledger software update phishing attack occurring at this time, and he may have fallen victim to it. However, Guy_Parker insists that he never entered his seed phrase anywhere and specifically that he had never seen the phishing page when shown it.


It is also possible that Guy_Parker's computer was infected with malware and had a backup copy of the seed phrase somewhere which Guy_Parker has long forgotten about. Guy_Parker mentions that he set things up himself which would have used software available online. There are many software packages which contain "trojan horse" software to allow remote control of the computer, and some (especially OS-level) may even evade detection by common malware tools. Malware is distributed relatively commonly when using pirated versions of Windows, for example. The attacker may have become aware of the cryptocurrency only through Guy_Parker connecting up the Ledger and that was what prompted the search for the seed phrase. In multiple other instances, users have insisted they didn't have their seed phrase online anywhere, only to later discover that actually they did at one point.


Finally, if the backup seed was truly not available on the device, it is still possible to trick someone who is making multiple transactions by having malware alter the transaction which is sent to the Ledger device. However, this seems unlikely that Guy_Parker would have been tricked to sign several transactions in a row without noticing any funds going missing. There is no mention of any transactions being made in this case.


While seed generation exploits are possible, Guy_Parker purchased his Ledger wallet directly from Ledger themselves, and any exploit to the seed generation would likely not be limited to affect just a single user. Hardware wallets are also subject to an extreme level of scrutiny from security experts throughout the community.


The Russian actors attempted to cash out the funds through Binance. Guy_Parker was able to request Binance to freeze the funds and work with UK law enforcement to ensure their safe return. He was able to recover his funds except for the transaction fees involved in the process. Guy_Parker has wiped his computer clean which would remove any malware and is now using a new hardware wallet called CoolWallet.


It is absolutely imperative to store seed phrases only offline. It is recommended to use a separate wallet for typical transactions, and keep most funds in an offline and never used wallet for safe keeping. Seed phrases can be broken into smaller chunks for additional safety. Advanced users can set up a multi-signature setup to prevent the seed phrase from being breached.


Check Our Framework For Safe Secure Exchange Platforms

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.