A security researcher on Reddit has published a detailed investigation, in two posts, into a counterfeit Ledger Nano S+ device being sold through online marketplaces, revealing a coordinated operation designed to steal crypto wallet seed phrases across multiple platforms.
The posts, published on April 15–16 in the r/ledgerwallet subreddit by user Past_Computer2901, describe how a seemingly legitimate hardware wallet turned out to be part of a broader phishing and malware campaign involving fake hardware, malicious apps, and command-and-control (C2) infrastructure.
The researcher initially claimed the device could bypass Ledger’s security checks, but later clarified this was incorrect. The official Ledger Live application correctly detects the counterfeit device. The real risk lies in users being redirected to fake versions of the app.
Counterfeit Device Fails Official Check but Fake Apps Capture Seed Phrases
The researcher wrote that he purchased the device from a third-party Chinese marketplace where it was listed at the same price as the official Ledger store. He bought the device for personal use and not for research purposes. The listing appeared legitimate, and there were no clear warning signs before delivery.
After receiving the device, he connected it to the official Ledger Live app, which had already been installed from ledger.com. The device failed the built-in Genuine Check, which verifies hardware authenticity using cryptographic attestation. In a follow-up post, the researcher clarified that this check works as intended and that counterfeit devices cannot pass it.
This failure prompted him to investigate further. After opening the device, he reported hardware differences from a genuine unit, including a general-purpose chip instead of a secure element. He wrote that the chip was an ESP32-S3 manufactured by Espressif Systems, which is not used in authentic Ledger devices, and that some component markings had been deliberately scraped off. He also reported that sensitive data, such as PIN codes and seed phrases, were stored in plain text within the device’s firmware.
According to the researcher, the main attack does not rely on bypassing Ledger’s verification system. Instead, it depends on redirecting users to a fake onboarding flow. The device packaging includes a QR code that leads to a cloned website resembling ledger.com. From there, users are prompted to download malicious versions of Ledger Live for Android, Windows, macOS, and iOS.
In the post, he also writes that the scam appears to target first-time Ledger users, who may be less familiar with hardware wallet setup and more likely to follow onboarding instructions such as scanning QR codes and downloading software from links provided in the packaging.
Think like a first-time crypto user.
You unbox what you think is a Ledger. Inside the packaging there's a "Start Here" card with a QR code. A brand new user — someone who's never used a hardware wallet, maybe just heard about self-custody for the first time — scans that QR code. It redirects to a cloned website that looks exactly like ledger.com, where you're prompted to download "Ledger Live" for any platform (Android, iOS, Windows, Mac).
He reported that these fake apps display a hardcoded “Genuine Check” success screen that does not actually verify. The apps then capture seed phrases and transmit them to attacker-controlled servers. The Android version analyzed by the researcher also intercepts communication between the device and the app and monitors wallet balances.
The researcher wrote that he identified several domains linked to this activity and said the infrastructure appears to support multiple distribution channels, including desktop software and mobile apps. He also claimed the operation is tied to a Shanghai-registered shell company specifically set up to sell on JD.com.
Ledger Response and Security Clarification in Community Discussion
In replies to other users, the researcher emphasized that the scam does not indicate a flaw in Ledger’s official security model. He wrote that the legitimate Ledger Live app correctly detects counterfeit devices and that users who download software only from the official website and follow the standard setup process remain protected.
Additionally, Ledger shared the following statement with TheHolyCoins:
“It’s important for the ecosystem to accurately raise awareness around counterfeit devices. Ledger reminds users that it is recommended to purchase their Ledger signer from Ledger.com or authorized resellers, a full list of which is available here.
“When purchasing from a marketplace, Ledger strongly encourages users to verify the identity of the seller. Users should ensure they only download the official Ledger Wallet apps on desktop and mobile. The situation involved counterfeit hardware, paired with a fake companion app flow designed to simulate the onboarding process, distributed through unofficial channels.”
“Ledger will never ask users for their 24 words. If anyone claiming to be Ledger, or any app that purports to be a Ledger app, asks for your 24 words, you should immediately assume it is a scam."





