SKN | Counterfeit Ledger Devices Raise Alarm as Hidden Hardware Backdoors Threaten Crypto Users

Key Points

• Fake Ledger device uncovered by cybersecurity researcher.
• Modified hardware designed to steal seed phrases.
• Supply chain attacks targeting self-custody users are rising.

A cybersecurity researcher has exposed a highly sophisticated counterfeit version of the Ledger Nano S Plus being sold through a Chinese online marketplace. Initially appearing legitimate in packaging and pricing, the device was later found to be engineered specifically to compromise user funds.

The discovery was shared publicly by a Brazilian researcher who purchased the device for personal use, only to uncover a coordinated scam operation designed to exploit crypto users—particularly those new to self-custody.

Genuine Check Failure Raises Red Flags

Upon connecting the device to the official Ledger Live application, the wallet failed the built-in “Genuine Check,” a verification system used to confirm authentic Ledger hardware. This prompted further investigation, leading to a full teardown of the device.

Inside, the researcher found altered components and firmware modifications intended to extract sensitive wallet data, including private keys and seed phrases.

Hidden Hardware and Firmware Manipulation

The internal inspection revealed clear signs of tampering, including scraped chip markings and the unexpected presence of WiFi and Bluetooth antennas—features not present in legitimate Ledger devices, which are designed to keep private keys fully offline.

Further firmware analysis uncovered that the device initially identified itself as a legitimate model, but later exposed links to Espressif Systems, suggesting unauthorized hardware substitution or manipulation during manufacturing.

QR Code Trap Targets First-Time Users

The scam is particularly dangerous for new users. The counterfeit package includes a QR code directing users to download a malicious version of Ledger Live. This fake app simulates a successful “Genuine Check,” misleading users into trusting the device.

Once users proceed with setup, they are prompted to input their seed phrase, which is then captured by attackers, allowing them to drain funds at any time.

Broader Pattern of Crypto Supply Chain Attacks

This incident reflects a growing trend of supply chain attacks in the crypto sector. Earlier this month, over 50 victims lost a combined $9.5 million after downloading a fake Ledger Live app distributed through a manipulated listing on the Apple App Store.

Scammers are increasingly combining hardware tampering with social engineering tactics to bypass traditional security measures and exploit trust in well-known brands.

Critical Security Lessons for Crypto Users

The findings highlight the importance of strict security practices when dealing with hardware wallets. Users are strongly advised to purchase devices only from official sources and to verify authenticity through trusted software. Any failure in the Genuine Check process should be treated as a serious warning sign.

As crypto adoption grows, the attack surface continues to expand, making user awareness and operational security just as important as the technology itself.