Fake Ledger Wallet Scam: Counterfeit Chip and Plaintext Seed Theft

A Brazil-based cybersecurity researcher says a fake Ledger wallet scam is being sold on a Chinese marketplace. The package looks authentic, but when the device is connected and checked via Ledger Live, it fails the “Genuine Check,” confirming it is not a real Ledger unit. Inside the counterfeit hardware, the researcher found major red flags. It uses an ESP32-S3 chip with internal flash instead of Ledger’s Secure Element. Firmware analysis also showed the user PIN and the seed phrase are stored in plaintext, plus hardcoded links to attacker-controlled command-and-control (C2) servers. The attack chain focuses on phishing outside the device. Victims are prompted by a QR code on the packaging to install a counterfeit “Ledger Live” app across Android/iOS/Windows/macOS. The fake app shows a Genuine Check screen that always “passes,” then collects wallet setup data while exfiltrating seed phrases to external servers. For Android, the decompiled APK indicates stealth behavior, including covert network requests and continued background activity after the app is closed. The researcher stressed this is not a flaw in Ledger’s Secure Element or Genuine Check. For traders, this is mainly a self-custody security risk: account takeovers can rise when users install a fake Ledger wallet. Traders should treat QR links from untrusted sources as hostile and verify hardware and firmware authenticity before use. The report has been submitted to Ledger, with further analysis planned for Windows, macOS, and iOS.