Hackers have a new method to steal Bitcoin: sending users physical wallets of fake cryptocurrencies
When it comes to saving cryptocurrencies, the security behind them is the password we have and how well we keep it so that others do not access it. Many users prefer a special physical USB keychain where to save that password so that it is not published in any cloud or online. But what happens when lHackers manage to infiltrate even physical offline wallets?
It’s happening. Over the last few months, the number of attacks on cryptocurrency users who store their data in physical cryptocurrency wallets. In principle, these wallets are the safest alternative to store cryptocurrencies (unless you lose them). But they are not invulnerable.
The non-Ledger physical Ledger wallet
As they relate in Vice, Ledger users are receiving fake physical wallets. Ledger is a company dedicated to the manufacture of physical wallets for cryptocurrencies. The company has different products on the market, especially USB keychains to store cryptocurrencies safely.
Last year Ledger suffered a massive hack That put hundreds of thousands of accounts in jeopardy. Users saw their data compromised and are still suffering the consequences ever since. One of those consequences seems to be this scam. Users are receiving new seemingly real and Ledger keychains, although in reality they are not.
Since their physical addresses and data were leaked, hackers are sending physical wallets on Ledger’s behalf. The keyrings arrive with instructions and a letter supposedly signed by Ledger’s CEO. In the letter users are asked to replace their current physical wallet with this new one because the data was recently compromised.
According indicates Ledger itself, what’s behind this is a Ledger Nano X (actual company product) but tampered with. A flash drive is added containing an app that prompts the user to enter their 24-word recovery phrase. This phrase is sent to scammers who can then access user accounts and transfer all cryptocurrencies.
According to Ledger, this phrase should never be shared, not even with the company itself. They say that much of the responsibility in the end falls on the user himself and his awareness that he is playing with important and valuable data in between.