Fake Ledger Found on Chinese Marketplace

Image Credit: Unsplash

Ledger users are facing a new supply-chain scam after a counterfeit Nano S Plus was found on an unnamed Chinese e-commerce platform. The device failed Ledger’s Genuine Check when it was connected to the real Ledger Live app, prompting the researcher to open it up and inspect the hardware and firmware.

The case shows how self-custody scams are moving beyond fake websites and phishing emails into supply-chain traps that begin with the hardware itself. It also comes just days after blockchain investigator ZachXBT linked a fake Ledger app on Apple’s App Store to about $9.5 million in losses, putting fresh attention on how attackers are targeting new wallet users from several directions at once.

The Fake Device Used Altered Hardware

Posting as ‘Past_Computer2901’ on the ‘ledgerwallet’ subreddit on Reddit, the researcher said the wallet contained an ESP32-S3 chip instead of Ledger’s secure element, had its markings scraped off, and ran custom firmware identifying itself as “Ledger Nano S+ V2.1,” a version the researcher said does not exist. After dumping the flash, the researcher said seed phrases and PINs were stored in plain text and that the firmware was beaconing to a command-and-control domain.

That makes this more than a low-quality clone. The device could generate wallet addresses and display a functional interface because it used open-source wallet libraries, which helped it look legitimate during initial setup. The researcher said the real Ledger Live app still caught the device through cryptographic attestation, which limited the damage in this case.

The Scam Appears to Target New Ledger Users

According to the researcher, the box included a QR code that would send buyers to a malicious Ledger Live download instead of Ledger’s official site. That fake app would then show a bogus verification process and prompt the user to reveal seed phrases, providing attackers the information needed to drain funds later.

Ledger has repeatedly warned users that fake Ledger Live apps remain one of the most common scam tactics in the market and says the only safe place to download the software is from its own website. The company also says a genuine device must pass the Genuine Check during onboarding and when it connects to My Ledger.

The Warning Goes Beyond One Counterfeit Wallet

The episode highlights a growing risk for hardware wallet users. A sealed box and a familiar brand are no longer enough on their own, especially when fake devices are sold at the same price as official ones and come with software flaws built to look normal.

For wallet makers, the lesson is that anti-phishing guidance is no longer enough on its own. For users, the rule is simple and strict: buy hardware only from official channels, install Ledger Live only from ledger.com, and stop immediately if a device fails the Genuine Check.