Fake Ledger wallets sold on online marketplaces appear built to steal seed phrases and PINs

A counterfeit Ledger Nano S Plus sold through a Chinese marketplace appears to have been built to steal recovery phrases and PINs from the start. The case came to light after a Brazilian security researcher posted a teardown showing a fake device that failed Ledger’s Genuine Check in the official Ledger Live app, then exposed hardware and firmware that did not match a real Nano S Plus.

The broad warning is simple. A fake device can look real enough to fool a buyer, but Ledger’s own guidance says only a genuine device with its secure element can pass the cryptographic authenticity check in Ledger Live. Ledger also warns that counterfeit packages, fake apps, and phishing flows remain common attack paths for crypto holders.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The researcher’s post describes a supply-chain style scam rather than a flaw in Ledger’s core security design. In the Reddit update, the researcher says the Genuine Check worked as intended and identified the device as fake when used with the real Ledger Live, which sharply limits the attacker’s chances if the buyer starts with Ledger’s official software.

What the teardown reportedly found

According to the Reddit analysis, the counterfeit unit used an ESP32-S3 instead of the kind of secure hardware expected in a genuine Ledger device, and it included Wi-Fi and Bluetooth capability that should not appear in a real Nano S Plus. Tom’s Hardware, which reviewed the case, reported the same core findings and said the chip markings had been scraped off.

The researcher also said the firmware stored test PINs and seed data in plaintext and pointed to attacker infrastructure, including a malicious domain. Those claims come from the researcher’s teardown and public post, not from Ledger, so they should be treated as researcher findings rather than vendor-confirmed conclusions at this stage.

One of the most important details sits outside the hardware itself. The box reportedly pushed buyers toward a QR code that led to a fake Ledger Live download instead of Ledger’s real site. Ledger’s own support pages warn that fake Ledger Live apps and lookalike websites are among the most common scams used to trick people into revealing sensitive recovery data.

Why the fake app matters more than the fake shell

The counterfeit device appears designed to catch first-time users who never launch the official Ledger Live app. The researcher said the fake software showed a hardcoded “Genuine Check” success screen, which would remove the main warning a buyer should see on a counterfeit product.

That pattern fits Ledger’s own anti-phishing guidance. Ledger says the only safe place to download Ledger Live is directly from Ledger, and it warns that fake apps often try to create urgency or a false error before asking for a recovery phrase. A legitimate Ledger flow should never ask a user to type the 24-word recovery phrase into Ledger Live.

Some reports tied this hardware scam to a wider malware operation across Android, Windows, macOS, and iOS. The cross-platform part appears to come from the researcher’s investigation and follow-on media coverage, not from a public Ledger incident bulletin. I can support the broader point that fake Ledger apps have recently caused real losses, but the exact multi-platform scope in this specific marketplace case still rests mainly on outside reporting and the researcher’s post.

The $9.5 million loss figure needs careful framing

The sample article links this counterfeit wallet story to more than $9.5 million in theft from over 50 victims. That number appears tied to a separate fake Ledger Live app incident on Apple’s App Store, not necessarily to the counterfeit hardware case alone. Multiple outlets reported that Apple removed a fake Ledger app after on-chain analysis linked it to about $9.5 million in losses, and Apple told reporters it removed the app and suspended the developer account.

That does not make the hardware scam less serious. It means the safer way to write the story is this: the counterfeit device case appears to be part of a broader ecosystem of Ledger-themed phishing and fake-app fraud, but the public evidence does not yet prove that the device campaign itself caused the full $9.5 million loss figure.

That distinction matters for credibility. The researcher’s post offers strong visual and technical evidence for a counterfeit device and a fake software path, while the multimillion-dollar loss figure belongs to a better-documented fake app incident that Apple and outside investigators discussed separately.

Key details at a glance

Sources: Ledger support pages, researcher Reddit post, Tom’s Hardware, and reporting on the Apple App Store fake app case.

How users should protect themselves

• Buy Ledger devices only from Ledger or clearly authorized resellers. Ledger warns that fake devices, scam packages, and phishing setups remain active threats.
• Download Ledger Live only from Ledger’s official site, never from a QR code inside the box or from a marketplace link.
• Run the Genuine Check immediately with the official Ledger Live app before trusting any device with funds.
• Never type your 24-word recovery phrase into an app or website. Ledger says that request is a scam signal.
• Treat unknown firmware labels or any mismatch in device identity as a stop sign and report the device to Ledger support or security channels.

FAQ