Brazilian researchers have flagged fake Ledger hardware wallets that are being sold in a Chinese marketplace in order to syphon crypto wallet addresses and seed phrases from unsuspecting users.
The discovery, published on Friday by researcher “Past_Computer2901, highlighted that the device involved was a counterfeit version of the Ledger Nano S Plus, which is normally used to safely store cryptocurrency offline.
The move comes at a time when cryptocurrency hardware scams are currently on the rise in 2025-2026 due to high levels of fraudulent as well as social engineering attacks aimed at self-custody owners.
At the beginning of 2026, scam artists have been employing highly developed techniques such as Trojan hardware and AI, which have caused losses of more than $282 million worth of BTC and LTC, TRM Labs highlights in its report.
Modus operandi of the scam
The scam works on the principle of gaining user trust and then defrauding them of their crypto holdings.
At first glance, the fake device looked completely genuine, the box, price, and branding all matched official products. But when the researcher connected it to the official Ledger Live app, the device failed a built-in authenticity test.
After opening the device, the researcher also found hidden hardware components that should not exist in a legitimate wallet, specifically WiFi and Bluetooth chips. Real Ledger devices are designed to stay offline for security. These extra components allowed the fake device to secretly send sensitive data to attackers.
The scam works through a QR code placed inside the box. When users scan it, they are directed to download a fake version of the wallet app. That fake app tricks users into entering their recovery phrase (the 24 secret words that control their crypto).
Once the user enters those words, the attackers can immediately access the wallet and steal the funds.
At first, the fake product seemed to behave like an actual Ledger Nano S Plus device by displaying its legitimate model name when being turned on. However, during the test, it soon appeared that the onboard processor was made by Espressif Systems, a detail that can never be seen on an authentic Ledger wallet.
Genuine ledger products are designed in such a way that they keep private keys off the internet all the time. Therefore, any attempt to add new hardware elements would mean breaking the protection mechanisms in place and opening up a direct connection for malicious parties who would obtain your data unnoticed.
The discovery comes on the heels of another similar event that took place earlier this month where a phishing app compromised the security of the Apple App Store using a bait-and-switch technique.
The malicious app was able to trick more than 50 individuals into divulging their secret phrases, which led to a $9.5 million theft before the app was taken down by the platform.
How to stay safe?
Separately, Ledger has come forward to caution buyers about hardware scams, commenting in the media that investors should “remain cautious” when purchasing hardware wallets on online marketplaces.
The firm’s spokespersons have also stressed that one of the crucial steps toward ensuring safety is checking the identity of the vendor. In its official statement, the company emphasized that users should download the corresponding wallet applications exclusively from official sources when using desktops or smartphones.
It is common practice for the scammers to deliver a fake device with counterfeit software that mimics the official application’s user interface.
In particular, the spokesperson elaborated on the problem and provided details about the latest occurrences, in which fraudsters used counterfeit hardware with the companion software, designed to deceive victims.
In this case, the counterfeit application was designed to provide an onboarding procedure similar to that of genuine devices. Thus, the scammers aimed to make the user feel that the hardware is authentic and trust it with crypto funds.
Finally, the firm reiterated the most elementary rule applicable to any cryptocurrency investor. Specifically, Ledger will never request the recovery phrase from the customer. This 24-word password serves as the main key for the wallet and represents one of the most valuable assets. Hence, any attempts to obtain such information should be treated as a scam operation.