Recently, someone on the Ledger subreddit had reported getting an unsolicited package with a Ledger Nano X accompanied by a letter from “the CEO” at Ledger. However, the Kraken team notes that this scam attempts to trick consumers into migrating their cryptocurrency holdings onto the new, “modified” device.
Kraken Security Labs decided to carefully explore this “supposed” phishing scam.
Kraken notes that their professional security team has demonstrated how this scam was “supposed to play out and, as with previous Ledger phishing attacks.” The Kraken security experts have also explained how “best to avoid these attacks from happening to you.”
Kraken clarifies that there are “no flaws” with the actual Ledger wallet or its firmware. According to Kraken, the purpose of their video and other information is to “increase awareness about this phishing attack, as this is often the single-best way to prevent crypto holders falling victim to these attempts.”
As noted in the report from Kraken, the package was “delivered in what appeared to be official Ledger shrink wrapping.” However, after opening the package, the recipient “spotted an immediate red flag,” the Kraken team reveals while noting that the letter, which was “purportedly from Ledger CEO Pascal Gauthier, was in poorly-written English and had errors throughout; hardly consistent with the communication clients usually receive from companies.”
Kraken further noted:
“Having already heard about Ledger falling victim to a data breach in the past, the recipient felt increasingly suspicious. They decided to take the Ledger apart and posted pictures of the insides on Reddit. The community quickly discovered that a tiny USB stick had been secretly implanted into the device. Once plugged into a computer, the device would appear as a USB stick, containing a malicious application attempting to phish the user’s seed.”
Kraken Security Labs also mentioned that they have rebuilt the attack “to demonstrate how this highly sophisticated, real-world phishing attack works, so clients are prepared in case anyone should ever attempt this on them.”
Kraken Security Labs reports that they “ordered a Ledger Nano X wallet online.” Once they had received the device, they used “a simple tiny USB-stick as an implant, extracted from a promotional gift.” After removing some of the padding, the USB stick “fitted perfectly underneath the display of the wallet,” the report from Kraken noted.
Kraken also mentioned that next, “just like the original attacker, [they] used magnet wire to connect the contacts of the USB-stick to the USB data-lines on the original wallet’s Printed Circuit Board (PCB), which connects all the device’s electrical components together.”
Kraken’s report added:
“To prevent conflicts between the USB-stick and the Ledger CPU we had to make additional modifications. Hardware security expert Mike Grover highlighted that the attackers had removed an oscillator – a component which basically allows the device to keep time – to prevent the CPU from interfering with the USB-stick. Our testing found that removing that component would disable the device, making the attack more conspicuous.”
Kraken Security Labs carried out a “slightly different” modification so the wallet would be able to work normally and would “therefore raise less suspicion.” This included “allowing regular connections to the wallet via bluetooth,” Kraken noted while pointing out that they found that the attackers carried out “further hardware modifications to make the USB connection work.”
As noted by Kraken:
“From the outside, it’s virtually impossible to distinguish a genuine Ledger wallet from a backdoored one. The USB-stick is hidden below the display, and the tiny wires connect it to the Ledger PCB. When plugged in, the wallet will boot, charge its battery, and appear like a completely unmodified Ledger.”
“When the device is plugged into a computer, it will appear as a USB stick, containing only a phony “Ledger Live” application that will try to trick the victim into entering their seed phrase, which will enable the attackers to drain funds from their wallet.”
Kraken also reminded users that when you are using a hardware wallet, you should always make sure that you are ordering “directly from the vendor and check that the packaging, including the cellophane wrapping, has not been tampered with.” Kraken further noted that if you’re “ever in doubt, contact the wallet vendor directly or speak to someone through the official support portal.”
You may check out more details on this report from Kraken here.