A brand new Ledger phishing marketing campaign is underway that pretends to be a knowledge breach notification asking you to confirm your restoration phrase, which is then stolen and used to steal your cryptocurrency.
Ledger is a {hardware} cryptocurrency pockets that means that you can retailer, handle, and promote cryptocurrency. The funds in these wallets are secured utilizing 24-word restoration phrases or 12 and 18-word phrases generated by different wallets.
Anybody who is aware of your Ledger restoration phrase can use it to entry the funds throughout the pockets. Due to this fact, restoration phrases should at all times be saved offline and by no means shared with anybody to stop cryptocurrency funds from being stolen.
Pretend information breach notifications
Ledger has lengthy been a goal of phishing campaigns that try to steal customers’ restoration phrases or push pretend Ledger Dwell software program to steal info. These campaigns grew to become considerably worse after Ledger suffered a knowledge breach in 2020 that uncovered its prospects’ names, addresses, cellphone numbers, and e mail addresses.
Nonetheless, over the previous few days, a number of folks have notified BleepingComputer or shared on X that they acquired a Ledger phishing e mail that pretends to be a brand new information breach notification.
The phishing emails have the topic of “Security Alert: Data Breach May Expose Your Recovery Phrase” and seem like from “Ledger <support@ledger.com”. Nonetheless, they’re truly despatched via the SendGrid e mail advertising and marketing platform.
The phishing emails declare that Ledger suffered a knowledge breach and that some restoration phrases have been uncovered. The e-mail then goes on to say that the consumer should confirm their restoration phrase on Ledger’s official verification web page.
“We regret to inform you that a recent data breach has affected our service. While your Ledger wallet remains secure, there is a possibility that recovery phrases (also known as “seed phrases”) linked to certain accounts have been exposed,” reads the phishing e mail.
“To safeguard your assets, we strongly encourage you to verify the security of your recovery phrase through our secure verification tool.”
Clicking the “Verify My Recovery Phrase” button brings you to an Amazon AWS web site at “https://product-ledg.s3.us-west-1.amazonaws[.]com/recover.html” that then redirects customers to a phishing web page at “ledger-recovery[.]info”.
The ledger-recovery[.]information area was registered on December fifteenth, 2024.
This web site pretends to be a Ledger website that asks you to carry out a safety examine to see in case your restoration phrase is compromised, as proven under.
Clicking the “Verify your Ledger now” brings up one other web page asking you to enter your 12, 18, or 24-word Ledger restoration phrase.
As you enter every phrase, the phishing web page will examine if the phrase is considered one of 2,048 legitimate phrases that may be entered as a part of a restoration phrase. If a phrase not on the listing is entered, will probably be proven with a line via it.
As you enter every phrase, the phishing web page will ship the entire entered restoration phrases to the location’s backend to retailer them on the server.
BleepingComputer was informed that it doesn’t matter what restoration phrase you enter, it should at all times state that it was invalid. It’s believed this being executed in order that targets enter the phrase a number of instances, permitting the phishing web page to confirm that the right phrases are being entered.
Different folks have additionally shared different Ledger phishing emails despatched out just lately, together with one which pretends to be a brand new firmware replace. It, too, makes an attempt to steal customers’ restoration phrases.
Armed with the restoration phrase, the attackers can acquire full entry to your cryptocurrency funds and steal them.
What ought to Ledger homeowners do?
At the start, by no means enter your restoration phrase or secret passphrase in any app or web site. Restoration phrases ought to solely be entered instantly on the Ledger machine you are attempting to get better.
As it’s straightforward to create lookalike domains that impersonate legit websites, in terms of cryptocurrency and monetary property, at all times kind the area you are making an attempt to succeed in into your browser somewhat than counting on hyperlinks in emails. This manner, you realize you’re going to ledger.com somewhat than a website impersonating it.
Lastly, disregard any emails claiming to be from Ledger stating that you just have been affected by a current information breach or asking you to confirm your restoration phrase.
Ledger won’t ever ask you to your restoration phrase, and as beforehand stated, it ought to by no means be shared with anybody else.