BTC
A new phishing campaign is reportedly targeting Ledger hardware wallet users with fake data breach notification emails.
Security researchers at BleepingComputer have reported that scammers are sending emails that appear to come from Ledger’s official support address to users. According to them, the message claims that users should verify their recovery phrases due to a security breach.
The scam reportedly began on December 15, 2024, and uses Amazon AWS infrastructure to appear legitimate. These phishing attempts are designed to steal users’ 24-word recovery phrases, which would give the attackers full access to victims’ crypto funds.
The campaign appears to be particularly effective because it taps into real concerns stemming from the previous Ledger data breach in 2020, an episode in which customer information was actually exposed.
Cryptocurrency phishing campaign looks official
The phishing emails follow a precise pattern designed to look official. They arrive with the subject line “Security Alert: Data Breach Could Expose Your Recovery Phrase” and appear to come from “Ledger support@ledger.com.” However, investigators found that the scammers were actually using the email marketing platform SendGrid to distribute these messages.
When users click the “Verify recovery phrase” button in these emails, they are redirected through multiple stages. The first redirect leads to the Amazon AWS website at a suspicious URL: product-ledg.s3.us-west-1.amazonaws.com. From there, users are sent to a phishing site.
The phishing site shows clear technical capabilities. It includes a verification system that checks each entered word against 2048 valid words used in cryptocurrency recovery phrases. This real-time verification makes the site appear more legitimate to victims.
The attackers also added another deceptive element: the site always claims that the entered phrase is invalid to encourage multiple attempts and perhaps to double-check that they received the correct recovery words.
Additional versions of this scam have also been discovered. Some of the emails claim to be firmware update notifications, but they all share the same goal of stealing users’ recovery phrases to access their cryptocurrency wallets. Every word entered is immediately transmitted to the attackers’ servers.
Some security recommendations shared since then have reminded users that the only legitimate use of a recovery phrase is during the initial setup of a new hardware wallet or when regaining access to an existing wallet — and these actions should only be performed on the physical Ledger device itself.
Secondly, users were advised to treat any email purporting to be from Ledger with extreme caution, especially those that reference data breaches or require immediate action. Thirdly, users were reminded to store recovery phrases offline, preferably in a secure physical location away from digital devices.
For those who may have already interacted with the suspicious emails or websites, they advise taking immediate action. Users who have entered their recovery phrase into any website should immediately transfer their funds to a new wallet containing the new recovery phrase. The original wallet should be considered compromised and should not be used to store cryptocurrency.