Fake Ledger Hardware Wallets on Chinese Marketplaces Steal Crypto Seeds and PINs

A Brazilian cybersecurity researcher has exposed a sophisticated, large-scale supply chain scam involving counterfeit Ledger Nano S Plus hardware wallets sold through a Chinese marketplace, devices engineered from the ground up to silently drain cryptocurrency across roughly 20 blockchains.

The findings, posted to Reddit by user u/Past_Computer2901, have sent shockwaves through the crypto security community, revealing a highly coordinated operation that combines tampered hardware, trojanized software, and cross-platform malware deployment into a single unified phishing pipeline.

The researcher purchased the device at a price matching the official Ledger store, with packaging and product listings that appeared authentic at a glance. Suspicion arose only after the device failed Ledger’s built-in Genuine Check when connected to a legitimately installed copy of Ledger Live — prompting a full physical teardown.

Inside the shell, the deception became undeniable. The original secure element chip had been replaced with an ESP32-S3 microcontroller, a generic IoT component manufactured by Shanghai-based Espressif Systems, a chip with no business being inside a hardware security device.

The chip markings had been physically scraped off to prevent identification, and the device contained a WiFi/Bluetooth antenna entirely absent in genuine Ledger Nano S Plus units. During boot mode, the chip initially spoofed itself as a legitimate Ledger product, but once the boot sequence completed, it betrayed its true identity: Espressif Systems.

A full firmware dump confirmed the most alarming finding: every PIN entered, and seed phrase generated on the device was stored in plaintext and transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com.

The fake firmware was labeled “Nano S+ V2.1” — a version that does not exist in Ledger’s official firmware lineup — effectively impersonating a product release to instill false confidence. The operation was designed to drain wallets across approximately 20 different blockchain networks simultaneously.

The counterfeit device shipped with a QR code inside the box, not directing buyers to ledger.com, but to a cloned phishing website where they would download a trojanized version of the Ledger Live app.

The fake app contained a hardcoded “Genuine Check” that always returned a success screen, meaning first-time crypto users would never receive any warning that their device was compromised. The malicious app was not properly signed and silently exfiltrated wallet data the moment it was used.

The scope of the operation extends far beyond a single fake app. The threat actors behind this campaign have deployed malware across Android, Windows, macOS, and iOS, with the iOS variant distributed through Apple’s TestFlight program to entirely bypass App Store review requirements.

Infrastructure analysis revealed three C2 servers, a cloned website, and a QR code redirect chain all registered under a shell company based in Shanghai.

Critically, the researcher clarified that Ledger’s official cryptographic Genuine Check does successfully detect this counterfeit device, but only when using the real Ledger Live downloaded from ledger.com.

The scam’s effectiveness hinges entirely on ensuring the victim never interacts with the legitimate application. The researcher has submitted a full technical report to Ledger’s security team, and a deeper analysis is expected following their review.

How to Stay Protected

• Buy only from Ledger’s official website (ledger.com) or verified authorized resellers never from third-party Chinese marketplaces or auction sites
• Download Ledger Live exclusively from ledger.com — never scan QR codes from inside the box to obtain software
• Run the Genuine Check immediately upon first connecting any hardware wallet
• Treat any firmware version not listed on Ledger’s official changelog as a red flag.
• Report suspicious devices to Ledger’s security team at [email protected].

This incident marks one of the most technically sophisticated hardware wallet supply chain attacks documented to date, with confirmed financial losses from the fake app component alone surpassing $9.5 million across more than 50 victims.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.