Consumers who have purchased Ledger hardware wallets have been waking up to nasty emails claiming that their crypto assets are in danger of being stolen. It is the latest in a long list of phishing attacks designed to lure the uninitiated into divulging their secret phrases or downloading malware.
The first round of spurious emails was asking for the 24-word recovery phrase and Ledger responded with a warning emailed to customers confirming that it would never ask for this.
The second round of emails is a little more insidious as they claim that a data breach on Ledger servers has affected the wallet associated with the target email account. It asks users to download the latest version of Ledger Live, via an email embedded link, and reset their PIN numbers.
It was reported that Ledger did suffer data breach in July resulting in 9,500 users having their personal information compromised.
On initial glance, the email looks genuine but there are a number of key giveaways that are easy to spot for the trained eye. Firstly, the domain name is not from ledger.com but legder.com
Secondly, hovering over the link in the box (but being careful not to click it) reveals a dodgy URL; http:// url9594 (dot) legder (dot) com which is likely to result in the downloading of malware that may be able to log keystrokes, steal credentials, or mine cryptocurrency.
Crypto investors and traders have already taken to twitter to share this phishing scam and warn others about it;
Additionally, Ledger itself has published a list confirming knowledge of these phishing attempts and reinforcing the premise that funds are safe providing the recovery phrase is;
The company stated that nobody, including Ledger, should ever ask for the PIN number of recovery phrase, but this latest email was a call to action prompting the clicking of a malicious link.
Hardware wallets, such as those produced by Ledger or Trezor, take an extra step to mitigate these risks. Ledger stated that crypto assets cannot be sent from a Ledger device unless the user physically connects it to the computer and verifies the transaction on both the computer and the device.
If malware is controlling the PC or smartphone, it cannot control the Ledger wallet, even when it is plugged into the computer.