According to PANews, hardware wallets are physical devices designed for storing cryptocurrencies, providing a secure means of safeguarding digital assets. These wallets store private keys offline, ensuring users maintain full control over their cryptocurrencies and reducing the risk of online hacking.
Despite their security features, many investors, particularly beginners, fall victim to scams that result in the loss of assets stored in hardware wallets. Two prevalent methods of theft include fraudulent instruction manuals and modified hardware wallet scams.
Fraudulent instruction manual scams exploit users' lack of understanding of hardware wallets. Scammers replace the genuine manual with a fake one, misleading victims into transferring funds to phishing addresses. Victims often purchase hardware wallets from third-party platforms, follow the fake manual's instructions to open the wallet using a "default PIN," and back up the "seed phrase" printed in the manual. Consequently, they deposit significant funds into the wallet, only to have them stolen.
The scam does not involve hacking the wallet's hardware. Instead, scammers pre-activate the wallet, obtain the seed phrase, and repackage it with a fake manual. They then sell these pre-activated wallets through unofficial channels. Once victims transfer their crypto assets to the wallet, the standard fake wallet theft process begins.
In Chinese-speaking regions, similar risks exist. Notably, hardware wallet manufacturer imkey has warned users about unofficial stores selling "activated" wallets with altered manuals, tricking users into depositing funds into wallets with addresses created by malicious sellers. This highlights the importance of identifying official online stores as much as official websites.
Another scam involves modified hardware wallets. A Ledger user received an unsolicited package containing a new Ledger X wallet and a letter claiming it was sent due to a data breach at Ledger. The letter instructed the user to replace their device for security reasons. However, Ledger CEO Pascal Gauthier clarified that the company does not compensate for personal data leaks. The user identified the package as a scam, noting tampering signs inside the wallet's plastic casing.
Additionally, Kaspersky's security team reported a case involving a counterfeit Trezor hardware wallet. A victim purchased a Trezor Model T from an unofficial source, only to find the device's firmware had been altered by attackers, granting them access to the user's crypto assets.
In conclusion, supply chain attacks on hardware wallets are widespread, and both investors and manufacturers should remain vigilant. To mitigate theft risks, users should purchase hardware devices from official channels, ensure wallets are in an unactivated state, and personally generate wallet addresses. If a device appears activated or includes a "default password" or "default address," users should cease using it and report it to the wallet manufacturer. Proper usage can effectively prevent theft.