A security researcher in Brazil bought what looked like a Ledger Nano S+ hardware wallet from a Chinese online marketplace. The price was lower than it should have been. The packaging held up at a distance. Once he opened it, the device turned out to be a precisely constructed counterfeit running a draining operation across five platforms at once.

Inside was an ESP32-S3 chip, a component common in low-cost IoT products, standing in for Ledger's genuine ST33 Secure Element. The chip markings had been ground off. The firmware identified itself as "Ledger Nano S+ V2.1," a version Ledger has never released. Every seed phrase or PIN typed into the device was stored in plain text and sent in real time to the attacker's server.

The seller bundled a fake version of Ledger's official app. It was signed with a debug certificate and quietly intercepted data through background requests to two command-and-control servers. That was the Android vector.

The same group behind the device was also pushing a Windows executable, a macOS installer matching patterns from campaigns tracked under the AMOS malware family, and an iOS TestFlight link that bypasses App Store review entirely. Five delivery channels. All running together.

Previously documented fake Ledger cases involved isolated physical devices sent through the mail or listed on grey-market sellers. Users on BitcoinTalk have reported losses of over $200,000 from compromised devices purchased off third-party platforms. This operation is broader. It does not rely on one entry point.

Ledger's own phishing guidance confirms the company will never contact users by phone or text, will never send a recovery phrase, and cannot deactivate any device. If a device arrives with words already written on the recovery sheet, it is not safe. If setup instructions tell you to type your seed into an app, that is a scam.

The researcher has filed a full report with Ledger's Donjon security team. A technical breakdown with full indicators of compromise will follow once internal review wraps.

For the full investigation details, including the exact C2 infrastructure, the five attack vectors broken down, and what to check if you bought from a non-official seller, read the complete story at https://www.cryptonewslive.org/article/fake-ledger-wallets-now-attack-five-ways-at-once