Score one for the safety-minded and cryptographic hardware checks. Joje Mendes, a Brazilian cybersecurity professional, almost got bitten by a sophisticated hardware-and-software phishing attack, in the form of a fake Ledger Nano S+ cryptocurrency wallet. The only barrier between Past's virtual currency and the device's remote operators was Ledger's software, which verified that it was running on legitimate hardware.
The story starts when Mendes decided to order the Ledger device from a "major marketplace" in China. He chose to do so because, being a non-Chinese citizen currently located in Shenzhen, importing one from abroad, directly from Ledger, "comes with its own headaches." The device's price was reportedly the same as that of a legitimate unit, but nevertheless, Mendes kept his suspicion mode engaged and installed Ledger's official software before the Nano S+ arrived.
True to the unfortunately expected form, after the device arrived, Mendes noticed it was "clearly" a counterfeit, a fact verified by the Ledger software, which marked it as non-genuine. True to his profession, Mendes decided to tear apart the device instead of tossing it, and found quite an elaborate scheme at work — one that's likely catching other unsuspecting users off guard.
After prying open the case, Mendes found that all chip markings had been scraped off, but eventually managed to identify the central unit as an ESP32-S3 system-on-a-chip (SoC). The device spoofed its identification, claiming it was a "Nano S+ 7704" from Ledger's factory, complete with a serial number. After inspecting the firmware, Mendes quickly found his test PIN and seed phrases for two wallets, as well as hard-coded credentials to reach C2 (command-and-control) servers that slurped up the data.
The presence of Wi-Fi and Bluetooth antennas initially led Mendes to believe the data would be exfiltrated via those methods when on public Wi-Fi, or perhaps via a USB keylogger. Instead, he found that it's actually a fake Ledger app that does the data harvesting. Unaware users will be led to a page that looks like a clone of ledger.com, from which they can download malicious Android, Windows, or macOS apps.
He took apart the app, and sure enough, it was signed with an Android Debug certificate, tracks the device's location even after being closed, and sends data to the C2 servers. The download link QR code, presumably on the package or paper instructions, was likewise tainted. Adding insult to injury, the firmware monitors account balances via their public keys, presumably letting the thieves hear a "ka-ching!" sound whenever funds are deposited.
The expert thinks this device is sold to first-time cryptocurrency users looking for the added security of a hardware wallet, and it's not hard to imagine it working well for that purpose. Even a sleep-deprived professional might use the download link on the box instead of going straight to ledger.com.
Mendes notified Ledger of the elaborate phishing operation and published an update in which he vowed to purchase additional devices to see how deep the rabbit hole goes. After all, someone had a lot of work setting all of this up. Needless to say, if you're buying a hardware cryptocurrency wallet or any other security-related device, always get it from the maker or an official reseller.
