Researcher uncovers fake Ledger Nano S modified to siphon crypto assets

A Brazilian security researcher has uncovered a sophisticated counterfeit Ledger device operation after discovering modified hardware designed to siphon cryptocurrency from unsuspecting users.

Summary

• A Brazilian security researcher identified a sophisticated hardware compromise in a counterfeit Ledger Nano S Plus that utilized modified firmware to capture user recovery phrases.
• Physical inspections of the fraudulent device revealed the addition of unauthorized WiFi and Bluetooth components alongside a secondary manufacturer’s chip hidden beneath scraped markings.
• The operation relies on a deceptive QR code included in the packaging to lure users into downloading a malicious application designed to bypass official security checks.

The security researcher, known online as “Past_Computer2901,” shared findings on Reddit after purchasing what appeared to be a standard Ledger Nano S Plus from a Chinese marketplace

Despite the packaging and price point matching official retail standards, the unit failed a “Genuine Check” when connected to the authentic Ledger Live desktop application

This red flag led to a physical teardown of the device, revealing that the internal circuitry had been altered to include WiFi and Bluetooth antennas—features entirely absent from the legitimate model.

Hardware manipulation and malicious redirects

Scammers are utilizing these tampered devices to exploit first-time buyers through a deceptive setup process

A QR code included in the packaging directs users to a fraudulent version of the Ledger Live app, which is programmed to bypass security warnings and issue a fake verification of the hardware’s authenticity

Once a user follows the prompts to generate or enter a seed phrase, the compromised firmware captures the data, allowing the attackers to drain the wallet at will.

“This isn’t meant to cause panic, but rather to serve as a serious warning — I’m honestly still a bit shaken by the sheer scale of this operation,” the researcher noted.

Internal analysis of the unit showed that the scammers went to great lengths to hide the fraud, including scraping off original chip markings.

Counterfeit Ledger device. Source: Reddit

While the device initially identified itself as a Nano S Plus 7704 during the boot phase, the final sequence revealed the manufacturer as Espressif Systems, a Shanghai-based semiconductor firm

These modifications fundamentally break the security premise of Ledger products, which are built to keep private keys in a strictly offline environment.

The discovery follows a separate incident earlier this month where a fraudulent app bypassed Apple App Store security via a bait-and-switch tactic. The malicious software successfully tricked over 50 people into revealing their recovery phrases, resulting in the theft of $9.5 million before the platform removed the listing.

“Stay safe out there. Only download Ledger Live from ledger.com. Only buy hardware from ledger.com. If your device fails the Genuine Check — stop using it immediately,” the researcher cautioned.

As previously reported by crypto.news, scammers have also targeted Ledger customers using fake Ledger App.