Ultimate Resource On Ledger Hardware Wallet (#GotBitcoin?)
French hardware wallets manufacturer Ledger announced that its cryptocurrency management software Ledger Live now supports Ethereum (ETH) ERC-20 tokens. Ultimate Resource On Ledger Hardware Wallet (#GotBitcoin?)
In a blog post published on Sept. 5, Ledger announced the version 1.14.0 of its Ledger Live software that now supports over 1,250 Ethereum-based ERC-20 tokens. The update has already been released for both mobile and desktop versions of the software.
More Assets To Be Supported In The Future
The Ledger Live application allows users of the company’s hardware wallets such as Ledger Nano S or Ledger X to manage their devices and cryptocurrencies. The firm also promises to add support for more assets in the future:
“While the ERC-20 token integration has brought a plethora of new cryptocurrencies to Ledger Live, we still aim to add even more crypto assets to the platform.”
As Cointelegraph reported, in March Ledger has unveiled vulnerabilities in its direct competitor Trezor’s devices. Prague-based crypto wallet manufacturer Trezor, on the other hand, has responded to Ledger’s report by claiming that none of these weaknesses are critical.
Ledger Live Adds Support For Tezos And Staking, Adds Features To Hardware Wallets
Hardware wallet manufacturer Ledger has announced the latest version of its Ledger Live application, adding support for Tezos (XTZ) and Tezos staking.
Unveiled last year, Ledger Live is a software solution that allows Ledger hardware wallet users the ability to manage their digital assets via a smartphone or computer. Ledger Live lets users check their cryptocurrency balance and send or receive tokens, while maintaining control of their private keys. Ledger CEO Pascal Gauthier told Cointelegraph:
“Ledger aims to combine security with a seamless user experience. The announcement with Tezos is exactly part of this mission. Ledger Live makes it easy to use crypto, while Ledger hardware wallets provide a high level of security. Ledger Live users can now create or import Tezos accounts, stake XTZ and passively earn rewards.”
From Hardware to Software
While adding support for XTZ creates an additional layer of security for token holders, it is noteworthy that Ledger Live lets users grow their digital assets through staking, which is a way for crypto holders to earn passive income.
XTZ operates on a proof-of-stake blockchain protocol. While Bitcoin and other cryptocurrencies operate using proof-of-work systems — in which miners compete against each other to complete transactions on the network to get rewarded — the Tezos blockchain requires all token holders to participate in securing and maintaining the network.
The aim of Tezos is to help token holders work together to make decisions that will improve the protocol over time. In turn, Tezos rewards users for contributing to the network’s security, a process known as staking (or “baking” in Tezos terminology).
Although staking Tezos is important for maintaining the network, this feature is typically available to users through major cryptocurrency exchanges, like Binance and Coinbase. Yet, according to Gauthier, this has been problematic due to the questionable level of security on these exchanges.
Gauthier pointed out that storing XTZ on a Ledger hardware wallet and then providing users with a platform to stake Tezos creates a much more secure solution. Moreover, he noted that the cryptocurrency industry is heading in a direction where hardware capabilities are being combined with software features:
“Hardware will always be important. Our customers like being able to store their crypto on a Nano, which remains the most secure hardware wallet on the market. But we have to think about where the industry is growing and going – and offering Tezos staking on Ledger Live is a signal that we are moving in a direction where strong UX coupled with less friction, allows customers to interact and transact with their crypto easily, quickly and still securely.”
Staking Tezos is an example of how Ledger Live aims to integrate new services seamlessly within a single application on a smartphone or computer.
“We expect to bring more prominent features via software to our users in the future,” noted Gauthier.
Giving Users More Control
Additionally, since Tezos operates on a proof-of-stake consensus model, users can either participate by staking or by delegating their tokens to those who can stake for them. In order to stake Tezos, users must have at least 8,000 XTZ tokens. However, users can delegate their tokens to a delegation service — known as “bakers” in the Tezos community — without transferring their ownership. This allows all participants the ability to earn the rewards generated, minus the validator’s commission.
Major exchanges that provide Tezos staking also offer a delegation service and typically charge commission fees on all rewards received. Unlike those exchanges, Ledger Live lets users choose who to delegate their tokens to without applying additional fees.
“We’ve been working closely with the Tezos community to make staking more convenient. On major exchanges, users have to do everything themselves, meaning they have to find someone to delegate their coins to or go through a custodian. Ledger Live empowers users to make their own choices by allowing them to choose who to delegate their tokens to. This is part of the nature of our open platform. We want to make sure users can access their entire crypto journey through Ledger Live,” said Gauthier.
How Will The Community React?
While the integration of Tezos is important for Ledger Live to widen the array of services offered on its platform, which currently supports 1,250 ERC-20 tokens, the impact of the development will be measured by its resonance with the Tezos community.
“It will be interesting to see how the Tezos community receives the Ledger partnership,”
President and Founder of TQ Tezos, Alison Mangiero, told Cointelegraph. “Right now we have external development teams working on applications that have been integrated into Ledger, but this makes for a much more seamless user experience. It will also be interesting to see new features incorporated into Ledger Live when upgrades are made to the Tezos protocol.”
Ledger Wallet Warns of Fake Google Chrome Extension Stealing Crypto
Major cryptocurrency hardware wallet supplier Ledger has warned its users about another phishing attack trying to steal their crypto — this one using a Google Chrome extension.
In a March 5 tweet, the French crypto company specified that there is a fake extension on Google Chrome browser that attempts to steal users’ crypto by asking them to enter their 24-word recovery phrase to access their wallet.
Ledger Live Gets Removed From The Chrome Web Store
The phishing attack was reported by Catalin Cimpanu, a cybersecurity reporter at business technology news website ZDNet on March 4. According to Cimpanu, the malicious Chrome extension was first discovered by Harry Denley, director of security at blockchain interface platform MyCrypto.
According to the report, the fake Chrome extension is called Ledger Live. It tries to mimic the real mobile and desktop application Ledger Live that allows Ledger wallet users to approve transactions by syncing their hardware wallet with a trusted device.
As of press time, the fake Ledger Live extension had apparently been removed from the Chrome Web Store. According to the report, the phishing extension was downloaded at least 120 times before it was taken down.
Fake Extension Was Advertised By Google Ads
As reported by ZDNet, the malicious extension was trying to mislead users into thinking that it represented the Chrome version of the original Ledger Live app, which would allow them to check balances and approve transactions via Chrome. Users were apparently offered to install the extension and connect their Ledger wallet to it by entering the wallet’s seed phrase — a backup phrase or word seed used to get access to their wallets.
MyCrypto exec Denley, who first uncovered the phishing attack, reportedly ridiculed the malicious extension by claiming that it makes no sense to install and use such an extension with a hardware wallet that is meant to protect funds by storing cryptocurrency offline.
However, Denley still admitted that he would not be surprised if the fake extension has tricked people, adding that it’s a “big problem in the cryptocurrency area, to teach people their private keys/mnemonics should stay offline.” The malicious extension could apparently have misled some users, taking into account the fact that it was advertised by Google’s online advertising platform Google Ads, as reported by Denley.
In the warning announcement, Ledger emphasized that the platform would never ask its users for their recovery phrase, urging that to never share the 24-word seed phrase or enter it into any device connected to the Internet. This is, however, not the first time that Ledger users encountered a fake Chrome extension. As reported by Cointelegraph in early January, another malicious Chrome extension stole about $16,000 in privacy-focused cryptocurrency Zcash (ZEC).
Ledger Crypto Wallet Claims Purported Vulnerability Is User Experience Flaw
Ledger’s chief technology officer Charles Guillemet said that the recently revealed vulnerability is nothing more than a user experience flaw.
Leading crypto hardware wallet producer Ledger has denied that its product’s transaction management software featured a double-spend vulnerability.
According to Ledger’s CTO Charles Guillemet, the vulnerability recently revealed by software wallet ZenGo is — in fact — nothing more than a user experience flaw. He illustrated the nature of its hardware wallet companion software Ledger Live to Cointelegraph:
“It’s important to understand that rather than an attack, the actual flaw may be seen more as a clever piece of trickery. Trickery is not a vulnerability. However, we do want to prevent anyone from falling victim to these kinds of clever schemes. […] It’s just a UX issue that could be used by a dishonest product buyer. ”
The Claims Are Not New
ZenGo’s claims are closely related to those released by Bitcoin Cash (BCH)-focused firm BitcoinBCH at the end of 2019. At the time, the firm’s CEO Hayden Otto explained in a video how a Bitcoin (BTC) point-of-sale solution misled merchants into believing non-confirmed transactions were final and accepting them.
Like BitcoinBCH, ZenGo noted that Bitcoin’s replace-by-fee (RBF) feature can easily allow users to replace an unconfirmed transaction with a new one with a different target address that has a higher fee. It is worth noting that this feature only makes it easier to leverage the non-finality of unconfirmed transactions, a thing that is harder, but still possible without RBF.
Furthermore, ZenGo’s report also points out that RBF “does not introduce any new vulnerabilities in itself” and instead “it explicitly puts the responsibility on wallet applications and users’ to identify unconfirmed transactions as unsafe.” This is confirmed by Guillemet:
“We want to thank ZenGo for having responsibly disclosed this issue to us. […] We do want to prevent anyone from falling victim to these kinds of clever schemes. A way to prevent this is of course to make sure that any transaction is first confirmed. Ledger Live is releasing an update on July 2nd. A warning is now displayed on pending transactions.”
ZenGo said that it was awarded a bug bounty for bringing attention to the issue.
Data Breach At Crypto Wallet Firm Ledger Exposes User’s Personal Info
Hardware wallet provider Ledger said its marketing database was breached between June and July.
Major cryptocurrency hardware wallet provider Ledger has alerted customers to a data breach it faced in June and July.
In an email on July 29, the company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website.
While they were able to fix the breach immediately, a further investigation by the team found that an authorized third party carried out a similar action on June 25.
The individual used an API key to access the marketing and e-commerce database the company used to send promotional emails.
According to Ledger, this compromised the email addresses of almost one million people. The firm added that, for a subset of 9,500 customers, details such as first and last name, postal address and phone number were also exposed.
The company claimed the API key used to access the database has since been deactivated.
After investigating the matter in tandem with third parties and confirming the breach, Ledger said it notified the French Data Protection Authority, CNIL. Reassuring their users of their funds’ security, Ledger wrote in a blog post:
“Your payment information and crypto funds are safe […] Regarding your e-commerce data, no payment information, no credentials (passwords), were concerned by this data breach. It solely affected our customers’ contact details.”
The company also said that it is monitoring online marketplaces to find evidence of the stolen data being sold, but has found none so far.
Ledger advised users to be vigilant regarding phishing attempts by malicious scammers and said it would never ask them for their recovery phrases.
A Newly Discovered Vulnerability In Ledger Wallet Could Be Disastrous If Not Properly Fixed
Ledger has failed to fully fix a major vulnerability that allows for a “Bitcoin Fork” attack.
A recent report contends that the Ledger app has failed to fix a major vulnerability that allows for a “Bitcoin Fork” attack.
Mo Nokhbeh has claimed that Ledger’s wallet fails to properly isolate the apps responsible for authorizing the transactions of different assets. This creates a vulnerability where a user’s wallet can be fooled into authorizing a transaction for a less valuable asset — such as Litecoin (LTC), Bitcoin Cash (BCH) or any other Bitcoin fork coin — when in reality, a Bitcoin (BTC) transaction is being released. Nokhbeh told Cointelegraph:
“This app should be isolated such that it only signs for testnet derivation paths. However, sending it a regular mainnet bitcoin transaction will pass. In addition, it will present the TX as if it’s testnet bitcoin, to a testnet bitcoin address.”
According to Nokhbeh, he made Ledger fully aware of this vulnerability, and despite acknowledging it, the company has failed to fix it. Instead, they have chosen to release an update to their existing app that will provide users with a warning prompt if such an exploit is detected.
Ledger CTO Discusses Wallet’s Safety After Multiple Security Setbacks
What’s behind Ledger’s tough stint recently? Charles Guillemet, the company’s CTO, responds to all the questions and criticism.
Ledger, one of the crypto industry’s most popular hardware wallet providers, has faced multiple difficulties in recent weeks, including a breach in the company’s customer contact database and a wallet vulnerability putting users’ Bitcoin (BTC) at risk.
Are the recent events simply a summation of a few difficult weeks, or is a larger unraveling at play?
Charles Guillemet, the chief technology officer of Ledger, told Cointelegraph: “As far as the database breach, an attacker got access to a portion of our e-commerce and marketing database through a third party’s API key that was misconfigured on our website, which allowed unauthorized access to our customers’ contact details and order data.”
Ledger’s Data Breached
The breach dates back to June and July 2020. Ledger received a tip on July 14 mentioning the firm’s website and a possible associated weakness, as the report by Cointelegraph detailed.
Although Ledger repaired the issue following the tip, the company discovered that someone had already exploited the weakness on June 25, leading to nearly 1 million leaked email addresses — with 9,500 affected customers seeing other private data leaked, such as their phone numbers and names.
Guillemet said Ledger repaired the issue and disabled the troublesome API key that same day. “In addition, no payment information, credentials (passwords) or crypto funds were impacted,” he added. “This data breach has no link nor impact on our hardware wallets and the Ledger Live application,” he explained.
“Customer crypto assets have always been safe and are not in peril,” he said, crediting Ledger’s device makeup for its security, as it gives authority over funds back to the users.
Jake Yocom-Piatt, the project lead at cryptocurrency Decred, said he was not surprised by the incident, noting companies usually give less attention to their e-commerce database defenses.
“When your core product is secure hardware, it is easy to forget that the security of your e-commerce software system is also important,” he told Cointelegraph, adding: “Many larger organizations view software security as a sunk cost because it falls outside their core product offering, so they cannot market it and extract profit.”
Wallets Had A Software Vulnerability
Shortly following the data breach, Ledger device holders read about another difficulty surrounding their wallet of choice on Aug. 5, as a software vulnerability surfaced. The hole essentially provided a bridge between Bitcoin and its various forks, such as Litecoin (LTC).
Harnessing the flaw, attackers could make a transaction seem associated with one asset, while confirming the transaction on the device would approve a separate transaction for a different asset — unbeknownst to the wallet owner.
Ledger issued a software update the same day, correcting the issue. On Aug. 26, when asked for additional comments, a Ledger public relations representative pointed toward an explanation of the situation on the company’s blog posted on Aug. 5, which explained that a bounty hunter found the vulnerability, leading to Ledger’s mentioned update in response.
“We’d like to assure you that this vulnerability cannot be used to obtain sensitive data like your private keys or recovery phrase,” Ledger clarified in the write-up.
Ledger Wallets Still Effective
Despite the recent difficulties, Ledger wallets remain a popular option for crypto storage. “Ledger and other hardware wallets are a major security upgrade for the average cryptocurrency user because it prevents remote access attacks — e.g., keylogging — from succeeding,” Yocom-Piatt said, adding:
“However, the protection against remote theft that comes with a hardware wallet is typically paired with a distinct decrease in privacy since the hardware wallet supplier can see exactly which coins a wallet controls.”
Twitter user CryptoGainz tweeted out difficulties he faced when working with his Ledger wallets on Aug. 13, citing unreliable software. Although the comment came shortly after the Aug. 5 vulnerability issue, the situation proved unrelated, with CryptoGainz still expressing faith in the wallet company as a crypto storage option.
“They’re a safe way to store crypto, they just suck for trading via metamask on Uniswap,” CryptoGainz told Cointelegraph in a Twitter DM chat, citing an online wallet provider/decentralized application avenue and the latest decentralized exchange trading craze, Uniswap.
Ledger Customer Protection
Although Ledger’s wallets provide parameters for enhanced security, users still must know best practices and tactics for the protection of their assets. “We’re most worried about phishing attempts — emails from scammers pretending to be us,” Guillemet explained.
A phishing scam occurs when a malicious party sends an email, or another form of communication, disguising itself as a different person or company in an attempt to gain private information from the target.
“We’ll never ask our clients for the 24 words of their recovery phrase,” Guillemet said, urging customers to harness two-factor authentication, while also pointing toward educational information on security found on Ledger’s website.
Aside from phishing attacks, Ledger holds safeguards against malware. “Ledger devices are designed to protect users’ funds against malware on users’ computers, including fake Ledger Live applications,” Guillemet explained, referencing Ledger’s desktop application for interacting with wallet devices.
He specified that users should make sure to get the app from Ledger’s official online site or app store.
Yocom-Piatt also spoke on protection against company data breaches, such as the one Ledger suffered. “Since e-commerce systems typically have weak security, I recommend that users ordering these devices have them sent to an address that is not their primary residence,” he said.
Using a different physical address shields customers from exposure of their residence, should such a breach occur, helping guard against potential in-person Ledger wallet device theft. “Also, when possible, you should avoid using the wallet software supplied by the hardware wallet vendor to maximize your privacy,” he added.
Self-custody over assets is a major selling point in the crypto industry, although it requires knowledge and technical prowess. The complexity involved might explain the push for mainstream crypto trading products, such as exchange-traded funds in which companies custody assets for investors.
Ledger Wallet Upgrade Can Prevent ‘Dusting Attacks’
Cold wallet maker Ledger adds more privacy protection to its software suite.
Hardware wallet maker Ledger has recently upgraded its software suite to include more privacy and control over crypto transfers to help prevent ‘dusting attacks’.
A dusting attack is where a malicious actor sends small amounts of Bitcoin to a wallet to break the privacy of users for further attacks.
Ledger Live version 2.11.1 introduces a new feature called Coin Control which gives users the ability to adjust transaction settings to include more privacy or optimal fee usage.
The announcement added that the feature works through its ability to manage Hierarchical Deterministic (HD) wallets, or multiple different Bitcoin addresses. Now, users can select the addresses they want to use for transactions using Coin Control instead of the previous default First-in, First-out (FIFO) method of automatically using the oldest address.
This matters because it prevents third parties tracking those transactions through tiny amounts of BTC, called dust, which are worth less than the transaction fees. This dust can be used to trace the identity of the owner through analysis since these tiny unspent transaction outputs (UTXOs) can accumulate. A large scale dusting attack was carried out on Litecoin users in August 2019.
Ledger Stated That With Coin Control, Users Can Simply Choose To Not Use This Tiny UTXO, Adding;
“As such, they cannot track any movements. In short: it can be a game changer when it comes to your privacy.”
Other features on the software upgrade include an optimization of the network fee structure by allowing users to choose UTXOs with higher value, thus reducing the byte size of the transaction. It also has the ability to select specific addresses for transfers should there be a need to keep payments separated.
Reddit Users Applauded The Upgrade With One Adding;
“This will make dust attacks useless. Also having the ability not to include small inputs when fees are high is great. I’ve been waiting for this feature. Thumbs up!”
Others asked for more functionality such as the addition of TOR, which is open-source software that facilitates anonymous communications. The addition of personal nodes was also requested as some users have trust issues when using a centralized company like Ledger.
Ledger Wallet Company Passes Official Security Audit
The process was meant to ensure that customer information is handled properly by the company.
Ledger, a crypto company providing a number of hardware wallet solutions, has obtained a successful System and Organization Controls, or SOC, Type 1 test.
Friedman LLP, a New York-based accounting firm, ran the SOC 2 Type 1 test on Ledger, according to a statement provided to Cointelegraph:
“By obtaining the SOC 2 Type 1 report, we are now able to provide an additional layer of verified security to our clients, assuring that the Vault solution is secured at all times and that we have the processes in place to ensure availability.”
A crypto storage solution for larger players and companies, Ledger Vault operates as a custody wing under the broader Ledger company.
The SOC 2 exam analyzes a company’s security by way of an audit, verifying the proper handling of customer information by service-based entities. “As a proof of compliance to the AICPA auditing procedure, SOC 2 Type 1 report shows that a SaaS [software-as-a-service] firm has best practices in place,” a blog post from RSI security explained.
“It gives potential customers the assurance that a service organization has passed the said auditing procedure, and that their data is safe if they work with the SOC 2-compliant company,” the post added.
In contrast, a SOC 2 Type 2 exam raises the bar, testing against more in-depth standards while requiring a longer time horizon for a green light.
During the SOC 2 Type 1 analysis, Friedman investigated Ledger on a number of levels, including its disaster recovery strategy and its security, as well as a host of other technical specifics.
“Receiving this attestation is an achievement as it shows our processes and systems are streamlined, documented and overall secure,” Ledger’s chief technology officer, Charles Guillemet, said in the statement. Next year, the company aims toward securing a SOC 2 Type 2 approval, according to comments in the statement from Ledger CEO Pascal Gauthier.
The exam green light comes after Ledger suffered a database leak several months ago, which exposed customers’ information. The popular hardware wallet company fixed the root of the problem following the incident.
Crypto exchange Gemini announced that it had similarly passed its SOC 2 Type 2 test in January 2020.
Ledger Wants To Help MicroStrategy Secure Its $400M Bitcoin Treasury
Square’s SubZero cold wallet is great, but Ledger Vault is better says the company’s VP of Product.
Ledger is mostly known for its consumer-facing hardware wallets, but since last year, a number of enterprises have also begun to use Ledger Vault, according to the company’s vice president of product, Jean-Michel Pailhon.
This product is focused on providing custody solutions to enterprise clients. In fact, the Ledger team is currently trying to sell MicroStrategy on the advantages of its product.
MicroStrategy is a business intelligence company that made a splash in August 2020 by converting a large portion of its treasury into Bitcoin (BTC). More recently Square, who just acquired $50 million worth of Bitcoin, developed an in-house open-source SubZero framework to secure its assets.
Pailhon said that both employ HSMs, or Hardware Security Modules, for the management of digital assets. HSMs have been used for decades for securing critical data and are generally considered invulnerable.
Though SubZero may be a great framework, Pailhon opined that its best suited for tech companies like Square that know how to deploy and manage HSMs. He said that Ledger will set these up for its clients, and that “they don’t necessarily need to know how it works. They just need to use the solution.”
We asked Paihon to walk us through onboarding a company like MicroStrategy. He said that one of the first steps would be to decide how many people will be involved in authorizing transactions, a typical setup would require 2-of-3 signatures; where perhaps, the CEO, chief financial officer, and general counsel hold one signature each.
All the private keys would be stored on an HSM. At the same time, parts of the private keys may be stored in several physical vaults.
When a company officer wants to initiate a transaction, he would log into Ledger Vault and input the desired transaction. Then, a notification would be sent to all three signatories. To approve it, they would have to log in and connect their Ledger Blue hard wallet to their computer.
Finally, they would enter their unique Ledger Blue pin to sign the transaction. There is also an additional layer of protection, which involves one of the signatories choosing to abort the transaction altogether, provided that the minimum number of signatures had not yet been authorized.
Pailhon elaborated that though Ledger provides the backend and takes care of the HSM infrastructure, the client acts as its own custodian. This may present a problem as some companies may be required by law to use a regulated custodian. He explained that this does not present a real challenge though:
“If you need a regulated custodian, you can ask a regulated entity to become one of the signees in the transaction process.”
Meanwhile, MicroStrategy has not named its Bitcoin custodians, though it publicly acknowledged the associated risks:
“While we hold the bulk of our BTC assets with established cryptocurrency custodians, a successful security breach or cyberattack could result in a partial or total loss of our BTC assets in a manner that may not be covered by insurance or indemnity provisions of our custody agreements with those custodians.”
Ledger’s Recent Security Audit Was Unconnected To Their Data Breach In June
It seems the review was already in process before the attack ever occurred.
Popular hardware wallet company Ledger recently announced that they had passed a notable security evaluation, known as SOC 2 Type 1. This certification came following a significant data breach the company suffered in June. Ledger did not, however, decide to conduct its security audit because of the breach, according to comments from a Ledger representative.
“Ledger is always seeking to raise the security standards and has been working on getting the attestation prior to the data breach,” the representative told Cointelegraph.
News of Ledger’s completed SOC 2 Type 1 audit came in October, essentially giving the market a level of confidence based on a trusted mainstream security benchmark.
“The SOC II attestation refers both to the System, in this case, Ledger Vault only, and the Organization: Ledger as a whole,” the representative explained. “Hence, if the SOC 2 Type 1 only applies to Ledger Vault, the Ledger organization as a whole has been audited (onboarding of collaborators, third party interactions, etc.).”
Ledger was made aware of a database weakness in July, which they quickly patched. The company, however, also uncovered a previous large data breach that occurred in June, which leaked thousands customers’ names, addresses, and other potentially sensitive information.
Kristy-Leigh Minehan, Former CTO of Core Scientific, told Cointelegraph “SOC2 Type 1 is about assessing the design of a security process (or processes) at a specific point in time (or, as of a specified date).” She clarified:
“They would only be evaluated up until the point when they executed it, not necessarily when they were awarded it.”
Ledger Owners Lose 1.1 Million XRP To Scam Site
After a major leak of email and personal information earlier this year, Ledger customers are experiencing a surge in phishing attempts.
Phishing attempts and scams against Ledger wallet owners are on the increase with one such scam netting more than 1,150,000 XRP from its victims.
The scam used a phishing email that directed users to a fake version of the Ledger website that substituted a homoglyph in the URL — in this case a letter that looked like the letter ‘e’ but wasn’t. On the fake site, victims were fooled into downloading malware posing as a security update which drained the balance from their Ledger wallet.
I got a txt message last night with my full name saying ledger security alert….to download the security update. Deleted it instantly
— Kris Leslie (@Krissy1097) November 2, 2020
According to community run fraud awareness site xrplorer, the XRP collected from the scam was sent to Bittrex across five deposits, but the exchange was “unable to seize [the XRP] in time.”
In a similar ongoing scam, a phishing email that appears to be sent from the official account for “Team Ripple” appeals to Ledger users by offering an XRP giveaway to “whitelisted addresses” as part of a “Community Support Program.” The registration process involves handing over your Ledger seed phrase or crypto private key in order to qualify for the non-existent program.
In an email to customers sent on Jul. 29th of this year, Ledger acknowledged that it had been the victim of a data breach in which close to a million email addresses were compromised, along with the personal details of a subset of 9,500 customers.
Although the vulnerability leading to the leak on the Ledger website was quickly patched, the damage had already been done, and scammers appear to be coming up with creative ways to use the addresses to trick Ledger users into giving up their coins.
The idea of crypto credential phishing via homoglyph-containing URLs is not new and scams employing this tactic have been targeting XRP holders across the course of the entire year, even before the email leak.
In 2018, scammers set up a fake Binance site, complete with an SSL certificate. However eagle eyed users noticed the ‘n’ had been replaced with a version that included an underdot (ṇ).
In March, creators of a fake Google Chrome extension for Ledger managed to steal 1.4 million XRP in less than a month.
Ledger Live Now Supports, Ledger Live Now Supports,Ledger Live Now Supports, Ledger Live Now Supports,Ledger Live Now Supports, Ledger Live Now Supports,