Hardware wallets are one of the greatest deals in the cryptocurrency world, providing substantial security for a reasonable price. At least, that’s how it’s supposed to work. But a new eBay scam is turning those dreams of safe, secure crypto coins into a nightmare for some unwary users.Earlier this week, however, a Reddit user named “moodyrocket” discovered that he had lost over £25,000 in XRP, Litecoin and Dash thanks to a compromised Ledger Nano S. Bought from a reseller on eBay, the Ledger appeared to be in factory-new condition, complete with shrink wrap. Unknown to moodyrocket, however, a scammer had replaced the original seed recovery card — a series of random words used to generate the device’s private keys — with a very convincing fake.
“The seeds words … on the card were also pre-installed on my Ledger when I purchased it,” moodyrocket claims. “When setting up the Ledger it never once [asked] me to set up the seed words … Now I understand it is because someone had already done it.”
In addition to activating the Ledger and resealing the packaging, moodyrocket believes that the seed recovery card was also faked, a feat that would require the scammer to produce “legit and very professional” looking scratch-off cards. The scammer was patient as well, waiting nearly four weeks to empty the Ledger’s accounts.
Ledger’s CEO, Eric Larchevêque, responded quickly to the Reddit post, offering to connect moodyrocket with the company’s General Counsel to file a criminal complaint. Unfortunately for moodyrocket, the situation isn’t as easy as tracking down a rogue eBay vendor. The eBay reseller who sold moodyrocket the compromised Ledger has a long and reputable history, and claims to have bought the compromised Ledger from an anonymous seller on Gumtree, a British classified service similar to Craigslist. This could make tracking down the original scammer a serious challenge.
These kinds of eBay-based hardware wallet scams have become increasingly common in recent months, with a similarly compromised Ledger gaining attention only last month. The Ledger team is well aware of the situation, and appears to be proactive about hunting down compromised units and shutting down scammers. As moodyrocket noted on Reddit, “You cannot really blame Ledger for this. I don’t, but I do hope they help me.”
What can you do to avoid buying a compromised hardware wallet and losing your coins? Here are a few tips:
- When possible, buy directly from the manufacturer. Even legitimate resellers may find themselves with compromised units.
- Always check the packaging for signs of tampering.
- New hardware wallets will require you to set your own recovery key seeds. If the recovery seed is already set, or the wallet doesn’t offer you the option to update or change the seed upon initial setup, there’s a very good chance that your device has been compromised.
- Notice something suspicious about your new hardware wallet? Don’t place any coins or tokens onto it! Contact the company directly with your concerns, and allow them to replace the device is something is wrong.
- Never — ever — share your recovery seed or private keys with third parties. Anyone who has access to these keys has full access to your cryptocurrency wallets.