A counterfeit Ledger Nano S Plus device was found to include hidden wireless components designed to extract user seed phrases. The discovery highlights a shift toward hardware-level attacks targeting retail crypto investors.
The device was identified by a security researcher known as “Past_Computer2901,” who purchased it from a Chinese marketplace. Although the packaging and pricing matched official products, the unit failed Ledger’s “Genuine Check” when connected to the Ledger Live application. A teardown revealed unauthorized WiFi and Bluetooth antennas embedded within the device.
UPDATE: Fake Ledger Nano S+ from Chinese marketplace — clarifying doubts from my previous post + new technical details
by u/Past_Computer2901 in ledgerwallet
How Do Tampered Hardware Wallets Steal Seed Phrases?
The attack relies on a deceptive setup flow that mimics legitimate onboarding. A QR code inside the packaging directs users to a fraudulent Ledger Live interface, which bypasses standard warnings and falsely confirms device authenticity. Once users enter or generate a seed phrase, the compromised firmware captures the data, enabling attackers to access funds remotely.
“This isn’t meant to cause panic, but rather to serve as a serious warning,” the researcher said, noting the scale and sophistication of the operation.
Analysis showed that chip markings had been deliberately removed, and the device ultimately identified components linked to Espressif Systems rather than Ledger’s official hardware stack.
But the broader risk extends beyond a single device. Hardware wallets are designed to keep private keys offline, and any modification that introduces connectivity breaks that core security assumption. Similar attack vectors have emerged in software, including a recent incident where a fraudulent app bypassed Apple App Store checks and led to $9.5 million in losses from more than 50 victims.
Still, the emergence of tampered devices suggests supply chain integrity is becoming a critical vulnerability in crypto security. The next phase will depend on whether manufacturers can strengthen verification mechanisms and whether users shift toward direct purchasing channels to reduce exposure to compromised hardware.
