Cybersecurity Researcher Warns: High-End Counterfeit Ledger Devices That Can Steal Mnemonic Phrases Found on Chinese E-Commerce Platforms
A cybersecurity researcher disclosed in a technical report that a batch of counterfeit Ledger hardware wallets is being sold on Chinese e-commerce platforms. These devices use general-purpose chips like the ESP32-S3 instead of dedicated security chips, and are equipped with built-in WiFi/Bluetooth modules that can record user-generated wallets and mnemonic phrases, sending them back through a counterfeit "Ledger Live" application. Victims unknowingly expose their assets and mnemonic phrases to servers controlled by attackers.
After reverse analysis, researchers pointed out that these devices are quite "realistic": the packaging is similar to the official products, and the prices are even consistent with official channels, making it difficult for buyers to identify risks based on appearance and price. However, when the device connects to the real Ledger Live, it triggers a "genuine verification failure," and there are significant differences in the internal hardware structure compared to the official product, such as the absence of a dedicated secure element chip.
This case echoes the recent exposure of a counterfeit Ledger Live application scam: attackers cloned the "Ledger Live" application from channels like the App Store and Mac App Store, luring users to input their mnemonic phrases, resulting in single-event losses of millions of dollars. Both incidents highlight that the security bottleneck of the hardware wallet ecosystem is shifting towards "supply chain fraud and counterfeit software," rather than purely vulnerabilities in the devices themselves.
Source: Public Information
ABAB AI Insight
This is no longer just about "changing a fake shell"; attackers are mimicking the entire trust chain. The attackers have replicated the hardware appearance, software interface, and even distribution channels, creating a "parallel version" of the Ledger experience specifically designed to steal at the most trusted point for users—when creating wallets and recording mnemonic phrases. The essence of this structure is transforming the "hardware wallet" from a "secure terminal" into a "phishing tool."
From an industry structure perspective, the "authenticity of security hardware and software distribution" has proven to be two critical weak points. Attackers do not need to breach the encryption chip; they can simply use counterfeit hardware and cloned software to "falsely access" the chain before users enter the trust chain, bypassing all underlying security designs. This reflects that the security model of hardware wallets heavily relies on the cleanliness of the "user purchase path" and "official software distribution"; once these two ends are contaminated, the security at the hardware level becomes "internal security" and "overall insecure."
Under the tension between decentralized assets and centralized supply chains, such issues will continue to escalate. When users purchase "brand new sealed" wallets on third-party platforms, short video shops, or social stores, they essentially relinquish control over the supply chain, placing trust in intermediary platforms and payment channels. However, the ability of platforms to identify and regulate counterfeit hardware is far weaker than their review of general SKUs, making "hardware-level fraud" a low-risk, high-reward criminal choice.
In the long term, such events are pushing the "trust chain to penetrate downwards": the verification process for hardware wallets in the future will evolve from "plug and play" to more complex trust checks, including authenticity verification, firmware signature verification, multi-chain cross-validation, and optimization of user behavior guidance. However, for ordinary users, the real challenge is making judgments between "convenience, low price, and aesthetics" and "real security," while attackers will make counterfeit devices "close enough" and cheap enough to turn this choice into a systemic cognitive battle.