Ledger users have reported that phishing scammers are spoofing the crypto hardware wallet provider’s support emails in a bid to trick users into revealing their wallet keys.
The bogus emails claim Ledger suffered a “recent data breach” and encourages recipients to verify their private seed phrase under the guise of needing to “safeguard” their assets, according to screenshots shared on X and a Dec. 17 BleepingComputer report.
The email appears to be from Ledger’s legitimate support email, but BleepingComputer reports it was actually sent through an email marketing platform.
Details from Ledger’s spoofed email with phishing links. Source: X
The email leads to a Ledger-branded website that appears legitimate and prompts visitors to “verify your Ledger,” falsely claiming to check if their device has been compromised.
The prompt opens a popup that asks to enter a seed phrase, a combination of words that, if shared, would give the scammers full control over the wallet and allow them to drain its funds.
The legitimate-looking Ledger-branded site asks visitors to enter their private wallet seed phrase.
Ledger responded to an X user concerned about the emails, saying that “scam attempts are an unfortunate part of life online and no one is completely immune.”
“Ledger will never call, DM, or ask for your 24-word recovery phrase,” it wrote. “If someone does, it’s a scam.”
It’s unclear if any Ledger users have fallen victim to the phishing scam. Cointelegraph has contacted Ledger for comment.
The ordeal follows a Dec. 13 incident where another Ledger user reported losing $2.5 million worth of Bitcoin (BTC) and non-fungible tokens despite claiming to have never revealed their seed phrase online.
However, Ledger and other blockchain security firms are adamant the user was lured into a phishing scam in February 2022 and that funds were only recently wiped.
Related: White hat ‘SEAL’ team protecting from crypto hacks surpasses 900 investigations
The codebase of Ledger’s connector library — a tool providing Ledger users access to decentralized finance apps — was compromised in December 2023, allowing an attacker to drain $484,000 from victims.
Phishing scams are expected to increase this holiday season amid more online transactions, security analysts say.
Meta also recently sent a warning to its users, identifying several scam campaigns targeting holiday shoppers from fake Christmas gift box promotions, fraudulent holiday decoration sales and counterfeit retail coupons.
Crypto scammers may be looking to make up ground this holiday season after phishing losses fell 53% month-on-month in November to $9.3 million.
Magazine: ‘SEAL 911’ team of white hats formed to fight crypto hacks in real time