Ledger Live software tracks its users and accumulates data about them, according to a report from pseudonymous software developer and privacy advocate REKTBuilder. The developer investigated the software’s Python code and allegedly found that it performs a “genuine device check” every time the user connects their Ledger device to their PC or phone. This check lists every app installed on the device, REKTBuilder claimed, allowing Ledger to know which networks the wallet owner is using.
Ledger Live embeds the genuine check into the apps listing procedure. As it is, they always doxx your device when installing or updating apps and firmware. I removed most tracking in Lecce Libre, but they still track you regardless.
— REKTBuildr (@rektbuildr) December 27, 2023
For the past couple days I'd been trying to… pic.twitter.com/Q1aF1qpjge
REKTBuilder is a pseudonymous researcher who posts to Crypto.bi forums and on X (formerly Twitter). On Dec. 6, they published a report claiming that Ledger Live was recording users’ crypto balances. The following day, they released what they claimed to be a “tracker free” open-source alternative to Ledger Live, called “Lecce Libre.”
REKTBuilder now claims to have discovered an even bigger privacy issue with Ledger Live. According to their Dec. 27 post, they discovered that multiple lines of code contain the phrase “genuine check.” When they added “tracing prints” to this code, they found that it didn't run at the time when the software appeared to be checking the device. With their curiosity piqued, REKTBuilder investigated further and found that the actual check is embedded within a “listApps” subroutine. The check can be used by Ledger to determine the time and date of each moment that a user connects their device, REKTBuilder claimed.
Related: Ledger announces U.S. PayPal integration, lets users buy crypto within app
The pseudonymous developer attempted to remove the code, but found that doing so broke the software and made it unusable. This seems to imply that no truly “tracker free” version of Ledger Live can be made.
“I tried disabling the remote tracking and it's impossible, it breaks if you do,” REKTBuilder stated. “Which means Ledger knows it's you every time you plug the device in.”
Despite this alleged privacy-issue, REKTBuilder stated on X that they still use Ledger Live because there is “[n]o other HW [hardware] option on native #Avalanche.”
Cointelegraph reached out to Ledger for comment, but did not receive a response by the time of publication.
Ledger is a manufacturer of crypto hardware wallets. It claims that its devices have over 6 million users. In March, Ledger raised $109 million in capital to further expand its operations. In October, it released an optional cloud-based recovery tool for users that feared losing their private keys.