A security researcher on Reddit has uncovered a fake Ledger Nano S+ being sold on a Chinese marketplace at the same price as the official device.

The counterfeit hardware looked legitimate from the outside, but an internal analysis revealed a generic ESP32-S3 chip by Espressif Systems instead of the secure element used in real Ledger devices. Some component markings were deliberately scraped off, and sensitive data, including PIN codes and seed phrases, were found stored in plain text in the device's firmware.

The attack does not rely on bypassing Ledger's security. The official Ledger Live app correctly detects the fake device through its built-in Genuine Check. The real threat comes from a QR code inside the packaging that redirects users to a cloned website resembling ledger.com. From there, users are pushed to download malicious versions of Ledger Live for Android, iOS, Windows, and macOS.

These fake apps show a hardcoded verification screen that does not actually check anything. In the background, they capture seed phrases and send them to attacker-controlled servers. The Android version also monitors wallet balances and intercepts communication between the device and the app.

The researcher linked the operation to a Shanghai-registered shell company set up specifically to sell on JD.com, with infrastructure supporting multiple distribution channels across desktop and mobile.

The scam appears to be designed to target first-time hardware wallet users, who are more likely to follow onboarding instructions, scan QR codes, and download software from links in the box.

Ledger has not issued a public statement, but a verified support account asked the researcher to file a formal report. Always buy hardware wallets from official sources and download software only from the official website.

#CryptoSecurity #Ledger #Cryptoscam #Web3Security #phishingscam