A Brazilian security researcher discovered a fake Ledger Nano S Plus purchased on a Chinese marketplace, equipped with modified hardware and a WiFi antenna to steal seed phrases.
A Brazilian security researcher, who identified himself as “Past_Computer2901” on the Reddit channel “ledgerwallet”, published on Thursday a detailed analysis of a counterfeit Ledger device purchased on a Chinese marketplace. The device, a Ledger Nano S Plus, was sold at the same price as the official Ledger store and featured apparently authentic packaging. Only after connecting it to the genuine Ledger Live app – already installed on his computer – did the researcher notice that the device failed Ledger’s built-in “Genuine Check”.
After dismantling the device, the researcher discovered modified hardware and firmware designed to capture and expose sensitive wallet data. Inside the unit were clear signs of tampering, including scraped chip markings and an embedded WiFi and Bluetooth antenna.
According to the researcher, the scam mechanism specifically targets first-time users. The QR code included in the packaging was meant to direct victims to download a malicious version of the Ledger Live app, which would have displayed a fake “Genuine Check” showing a successful result. By following the on-screen instructions, users would have ended up handing over their seed phrases to the attackers, allowing them to drain funds at any time.
While analyzing the firmware, the researcher put the chip into boot mode – initially the device identified itself as a Nano S Plus 7704 with an associated serial number. At the end of the boot sequence, however, the name of another manufacturer appeared: Espressif Systems, a publicly listed Chinese semiconductor company headquartered in Shanghai.
The incident fits into a broader context of increasingly sophisticated scams targeting users who opt for self-custody. Earlier this month, more than 50 victims were tricked into revealing their seed phrases through a fake Ledger Live app that appeared on Apple’s App Store. The victims suffered combined losses of $9.5 million before Apple removed the malicious app.
