Ledger Phishing Attack On Dutch Users

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 17:50, 26 April 2023 by Azoundria (talk | contribs) (added tbd)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from the original repository. The original content was in a different format, and may not have relevant information for all sections. Please help restructure the content by moving information from the 'About' and 'General Prevention' sections to other sections, and add any missing information or sources you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Ledger

Ledger reports that a recent phishing campaign was launched targeting Dutch users in their language. This email pretends to be from a law firm working with Ledger, and requests the users to click a malicious link for 2FA verification. While details are not provided, typically links will either try to run a malicious transaction or obtain the user's seed phrase.

About Ledger

[1][2]

"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."

"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."

"The scammer is pretending to be working in a law firm in contact with Ledger. They are claiming that We have noticed someone tried to log in on your Ledger account from a location you have never used before. So we have blocked your account and wallet. and asking you to click on a link for a 2FA verification."

"The link provided by the scammers is not legitimate."

This is a global/international case not involving a specific country.

The background of the exchange platform, service, or individuals involved, as it would have been seen or understood at the time of the events.

Include:

  • Known history of when and how the service was started.
  • What problems does the company or service claim to solve?
  • What marketing materials were used by the firm or business?
  • Audits performed, and excerpts that may have been included.
  • Business registration documents shown (fake or legitimate).
  • How were people recruited to participate?
  • Public warnings and announcements prior to the event.

Don't Include:

  • Any wording which directly states or implies that the business is/was illegitimate, or that a vulnerability existed.
  • Anything that wasn't reasonably knowable at the time of the event.

There could be more than one section here. If the same platform is involved with multiple incidents, then it can be linked to a main article page.

The Reality

This sections is included if a case involved deception or information that was unknown at the time. Examples include:

  • When the service was actually started (if different than the "official story").
  • Who actually ran a service and their own personal history.
  • How the service was structured behind the scenes. (For example, there was no "trading bot".)
  • Details of what audits reported and how vulnerabilities were missed during auditing.

What Happened

Dutch Ledger owners received a phishing email with text similar to the following[3].

Hallo Nina,

We hebben gemerkt dat iemand zojuist heeft geprobeerd in te loggen op uw Ledger-account vanaf een locatie die u not niet eerder hebt gebruikt, dus we willen zeker weten dat jij het echt bent.

Uw account en uw wallet zijn tijdelijk geblokkeerd om te voorkomen dat u geld verliest.

Hoe kan ik mijn account herstellen?

  1. Klik op Account Herstellen en volg de instructies om uw account te deblokkeren
  2. Schakel na het voltooien van het proces Tee-factoranauthenticatie in.

Account Herstellen

Bedankt dat je ons hebt geholpen om je account veilig te houden.

Het Ledger-team

The message translated to English reads.

Hi Nina,

We've noticed that someone just tried to log into your Ledger account from a location you haven't used before, so we want to make sure it's really you.

Your account and your wallet are temporarily blocked to prevent you from losing money.

How can I recover my account?

Click Restore Account and follow the instructions to unblock your account

After completing the process, enable Tee factor authentication.

Restore Account

Thank you for helping us keep your account safe.

The Ledger team

Key Event Timeline - Ledger Phishing Attack On Dutch Users
Date Event Description
December 21st, 2020 12:16:31 AM MST Bleeping Computer Article BleepingComputer publishes an article on the Ledger data breach[4][5], where the physical addresses, email addresses, and names of 272,853 people who purchased a Ledger hardware cryptocurrency wallet have been leaked on a hacker forum. The data was stolen during a June 2020 data breach, and the release of this information poses a significant security risk as it provides threat actors with data that can be used in phishing attacks against Ledger owners. Ledger has advised users to never share their recovery phrase or passphrase with anyone and to be wary of any postal mail or email claiming to be from Ledger[6]. TBD information on update of sim swap attacks from phone numbers.
December 22nd, 2020 CryptoBriefing Article CryptoBriefing publishes an article on the data breach event that affected more than 270,000 Ledger customers. Ledger's CEO Pascal Gauthier has dismissed any possibility of refunds and instead advised customers to store their seed phrases in a bank vault. In an open message, Gauthier said the company should spend money on improving its security standards instead of issuing refunds. Ledger has also hired a new Chief Information Security Officer, five months after the data breach[2].
January 19th, 2021 12:54:12 AM MST Sifted Article Sifted reports that French cryptocurrency security startup, Ledger, is attempting to recover its reputation after breaches exposed customer data. The company has hired a new security team, introduced new data security procedures and transparency to rectify the issues. The leak, which occurred via two third-party ecommerce partners, could make winning back trust difficult among crypto fans, who tend to be inherently distrustful. The article includes an attack against a Dutch Ledger user[7][8]. TBD follow more on that Twitter.
March 22nd, 2021 4:17:00 PM MDT CryptoPotato Article CryptoPotato publishes an article on Ledger phishing scams in general. Crypto investors with Ledger hardware wallets are being targeted by phishing scams where attackers are posing as Ledger customer support and requesting the 24-word recovery phrase or asking users to reset their PIN number through an embedded link. The phishing emails appear to come from a similar email address to Ledger's official one and encourage users to download Ledger Live. Users are being urged to remain vigilant and to verify any requests from Ledger by checking the website's security certificate and ensuring that the URL matches the official website[9].
March 1st, 2022 New Phishing Campaign Reported Ledger reports a new phishing campaign which is targeting Dutch users[10][3].

Total Amount Lost

The total amount lost is unknown.

How much was lost and how was it calculated? If there are conflicting reports, which are accurate and where does the discrepancy lie?

Immediate Reactions

How did the various parties involved (firm, platform, management, and/or affected individual(s)) deal with the events? Were services shut down? Were announcements made? Were groups formed?

Ledger Announcement On Website

Ledger posted an announcement on their website with details of the phishing attack[3].

DATE

March 1st, 2022

ANATOMY OF THE CAMPAIGN

The scammer is pretending to be working in a law firm in contact with Ledger. They are claiming that We have noticed someone tried to log in on your Ledger account from a location you have never used before. So we have blocked your account and wallet. and asking you to click on a link for a 2FA verification.

The link provided by the scammers is not legitimate.

Language : Dutch

Ultimate Outcome

What was the end result? Was any investigation done? Were any individuals prosecuted? Was there a lawsuit? Was any tracing done?

Total Amount Recovered

There do not appear to have been any funds recovered in this case.

What funds were recovered? What funds were reimbursed for those affected users?

Ongoing Developments

What parts of this case are still remaining to be concluded?

General Prevention Policies

The Ledger hardware wallet does not require 2FA verification. Only ever enter the seed phrase in the hardware wallet. Never sign transactions unless you were the one to generate them.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. Ledger Live : Most trusted & secure crypto wallet | Ledger (Feb 13, 2022)
  2. 2.0 2.1 Ledger Refuses Refunds, Tells Clients “Bank Vault Is More Secure” - Financegates (Mar 19, 2022)
  3. 3.0 3.1 3.2 ONGOING PHISHING CAMPAIGNS - Ledger Archive March 9th, 2022 2:11:50 AM MST (Apr 26, 2023)
  4. Physical addresses of 270K Ledger owners leaked on hacker forum - BleepingComputer Archive December 21st, 2020 12:16:31 AM MST (Apr 26, 2023)
  5. Physical Addresses of 270K Ledger Owners Leaked On Hacker Forum - Slashdot (Mar 19, 2022)
  6. Physical addresses of 270K Ledger owners leaked on hacker forum - BleepingComputer (Apr 26, 2023)
  7. Crypto startup Ledger fights to repair its reputation - Sifted Archive January 19th, 2021 12:54:12 AM MST (Apr 26, 2023)
  8. Crypto startup Ledger fights to repair its reputation - Sifted (Apr 26, 2023)
  9. Beware: Latest Ledger Email Phishing Scam Making The Rounds - CryptoPotato (May 2, 2022)
  10. Ongoing phishing campaigns | Ledger (Mar 20, 2022)

Cite error: <ref> tag with name "pcmag-6879" defined in <references> is not used in prior text.

Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Ledger_Phishing_Attack_On_Dutch_Users&oldid=3545"