Fake Ledger data breach emails used to trick victims into providing recovery phrases
- New Phishing Email Fraud Posing as Ledger Spotted
- The emails claim that the seed phrase of the user’s Ledger wallet has been compromised, and asks for confirmation
- Users who give up the seed phrase will lose all their money
Criminals are trying to steal cryptocurrency by posing as hardware wallet company Ledger and sending phishing emails.
Victims have reported receiving emails pretending to be from Ledger and claiming that their seed sense (also known as recovery sense or mnemonic) has been affected. To protect their digital assets, victims are invited to “verify the security” of the recovery phrase through the “secure verification tool.”
The email comes with a “Verify my recovery phrase” button that directs people to a “ledger-recovery(.)info” domain via an AWS website. There, users can enter their recovery phrase, which is then stored on a server and passed on to the attackers.
Providing the correct information
A recovery phrase is used to load the contents of a cryptocurrency wallet onto a new device or software wallet. It usually comes as a string of either 12 or 24 random words. Anyone who has access to this phrase also has access to the funds, so it is absolutely crucial that these remain offline, hidden and not shared with anyone.
To ensure they get the real deal, the scammers have added several protections to the phishing page. The site is limited to 2048 valid words that can be entered as part of the mnemonic phrase. Moreover, no matter what the users enter, they get the response that the opening sentence is wrong. This most likely gives victims the opportunity to double their input to confirm that they have provided the correct information.
Phishing emails often had poor grammar and spelling and were usually identified by clumsy, amateurish wording. However, with the introduction of generative AI, this is no longer the case. However, in this case, the clue was in the email address, as it came from the email marketing platform SendGrid. Additionally, the link redirects through an Amazon AWS website, which should also be a warning sign.
It’s impossible to know how many people (if any) fell for the trick, but those who did lost their money permanently.
Via BleepingComputer