A Brazilian security researcher has uncovered a sophisticated counterfeit Ledger Nano S Plus operation after purchasing what appeared to be a legitimate hardware wallet from a Chinese online marketplace, only to find the device had been physically and digitally rebuilt to capture user recovery phrases.
The researcher, who posts under the username “Past_Computer2901,” shared the findings on Reddit, warning users that the scheme is far more sophisticated than previous counterfeit cold wallet operations spotted on Chinese e-commerce platforms.
Fake Ledger Device Fails Authentication Check
The unit was priced identically to the official Ledger store and arrived in packaging that closely mirrored authentic retail units.
However, the device failed Ledger’s built-in “Genuine Check” when connected to the official Ledger Live desktop application, the first sign that something was wrong. A subsequent teardown revealed extensive hardware manipulation. The internal circuitry had been altered to include WiFi and Bluetooth antennas, features absent from the legitimate model.
Chip markings had been scraped off to hide the unit’s true origin, and firmware analysis showed the device initially identified itself as a Nano S Plus before ultimately revealing its manufacturer as Espressif Systems, a Shanghai-based semiconductor firm.
“This isn’t meant to cause panic, but rather to serve as a serious warning. I’m honestly still a bit shaken by the sheer scale of this operation,” the researcher wrote.
How Buyers of Counterfeit Ledger Wallets Are Being Tricked
According to the researcher, the counterfeit devices target first-time hardware wallet buyers. A QR code on the packaging directs users to a fraudulent version of the Ledger Live app that bypasses security warnings and displays a fake confirmation of the device’s authenticity.
Once a user enters or generates a seed phrase, the compromised firmware captures the recovery data, giving attackers full access to the victim’s wallets. The modifications, the researcher said, fundamentally undermine the offline security premise at the core of Ledger’s product line.
Ledger Responds to Counterfeit Hardware Discovery
A Ledger spokesperson told crypto.news the company is aware of the counterfeit channel and urged users to verify their retail source. “The situation involved counterfeit hardware, paired with a fake companion app flow designed to simulate the onboarding process, distributed through unofficial channels,” the spokesperson said.
“Ledger will never ask users for their 24 words. If anyone claiming to be Ledger, or any app that purports to be a Ledger app, asks for your 24 words, you should immediately assume it is a scam.”
The discovery lands weeks after a fraudulent Ledger Live app bypassed Apple’s App Store review and drained roughly $9.5 million from more than 50 victims, according to blockchain investigator ZachXBT, before being removed by Apple.
The researcher’s advice was blunt: only download Ledger Live from ledger.com, only buy hardware from ledger.com, and stop using any device that fails the Genuine Check.
