Since the Ledger database was leaked, happy fishing for users has been the order of the day.
More and more Bitcoiners have been receiving unsolicited calls from the UK, Austria, Brazil, or Germany. This is one of the unpleasant consequences of the Ledger leak, in which the private data of 270,000 Bitcoin users was published. We asked around how much the German crypto scene has been affected — and speculate how it could have happened.
Spam emails are now part of everyday life. If you haven’t published your own email address on the net yourself, there was certainly a hack of your provider or a shop where you submitted it. Therefore, most internet users have learned to delete emails if they announce that one has won a lot of money, should help with a transaction, or has been caught watching dirty porn.
The Ledger hack last year, however, took the game to a new level. Last summer, the customer database of the French hardware wallet manufacturer was hacked. It was not only the email addresses of around 270,000 customers but also their postal address and telephone number.
Shortly before Christmas, the hackers have now “dumped” this database in a darknet forum, i.e., published it just like that. Why they did this is still a mystery. But the fact is that with this move, criminals and hackers gained access to the private data of around 270,000 owners of Bitcoins and other cryptocurrencies.
The Ledger wallet is cheap and extremely popular, which is why just about everyone who deals with Bitcoins and other cryptocurrencies owns one. After a brief fanfare in the German crypto scene on Twitter, about 20 people contacted me who were affected by the hack within a few hours. I know another 5 people, and in a thread, in the Coinforum numerous victims are also speaking out. This is probably just the tip of the iceberg. Just about everyone owns a Ledger wallet.
Of those who have a ledger wallet, most, but not all, are affected. It is unknown exactly why this is the case; there is speculation that it has to do with the time of purchase. For instance, I know of people who bought a Ledger in 2017 or 2018 without being inconvenienced after the leak. As far as I know, though, the published databases are complete, so this explanation doesn’t make much sense. Maybe it’s just coincidence? Bad luck and good fortune?
In the summer, a sophisticated phishing email started going around: Allegedly, Ledger informed about a security incident and asked the user to download a new version of the wallet. The mail was well faked. Only a look at the sender showed that it did not come from “ledger.com” but from “legder.com.”
Since the data was published, the frequency of these mails has multiplied: floods of spam mails, with offers of cryptocurrencies, lottery winnings, rich heirs, queens from Nigeria, and so on. Those who have a ledger wallet hopefully have a good spam filter.
More dangerous, however, are the emails that pretend to be from Ledger, and which also turn the user’s need for security against him: Fraudsters copy emails that Ledger has actually sent, but of course, change a link in them; or they inform the user about unauthorized logins or outgoing transactions. And, of course, hackers also try to get into users’ mail accounts. One affected person told me that since the data was published, there have been 100 attempts every week to guess his email password.
But the mails themselves are only the least evil. “What made it more uncomfortable, of course, was that I received not only emails, but also text messages and, most importantly, phone calls,” says one person affected by the leak. He received several text messages announcing, for example, the launch of “Ledger DeFi” and promising LGR tokens, info about unauthorized logins, and an alert about bitcoins being debited from the Ledger account.
But most worrying were the calls that followed. “It goes a bit deeper than that when you’re suddenly talking to a real person.” The calls came from landline phones in Bonn and Berlin. “I wanted to know what was behind it and asked questions without confirming anything myself, neither what my name was nor that I had anything to do with cryptocurrencies.” But he only found out that the callers were pretending to be someone from a trading exchange; when they realized they would get nowhere, they quickly hung up.
One of the most surprising facets of the Ledger hacks is how many criminal organizations seem to exploit the data. For example, in the short survey, I learned that calls are also harassing most of those affected, but from many different phone numbers: Mobile numbers from Germany, landline numbers from Austria, often from Great Britain, sometimes from Brazil, and sometimes from Spain. Some callers pretend to be a trading platform, as in the case above. Others hang up immediately after you answer as if they want to check whether the number is active. The frequency of calls varies greatly: some report more than 10 calls a day, others only a few calls in total.
Most Bitcoiners I know of immediately brush off such calls if they answer at all. So I have no info on what the business model is behind the calls. They may be trying to determine the account number of the person concerned to withdraw money by direct debit.
I also have a report about a text message that refers to a subscription that has been taken out and possibly tries to get one to allow some payment collection. This has only occurred once so far, which again points to the many facets of data use.
For many Bitcoiners, these calls and emails are slowly becoming a nuisance. Some have acquired a new mobile phone number. Others think about it but are reluctant to give up the familiar number and fear that old acquaintances will no longer reach them. In some cases, it’s easy to block the phone numbers that bother you. In others, there are so many that you can hardly keep up.
Many have taken out new email accounts. Some are just annoyed, others a little scared and worried about sim-swaps, for example. Not everyone is a security expert, but after the Ledger leaks, everyone has a reason to worry about their security.
Sim swaps are increasingly being discussed in the English-language Reddit forum r/ledgerwalletleaks. In this case, the attacker tries to have the sim card for the phone number replaced at the mobile phone provider, which allows him to receive and send SMS with the number. Knowing the name and postal address is, of course, a great advantage when impersonating someone else. A sim swap can have dire consequences if one uses 2-factor authorization through SMS to log into banks and stock exchanges.
On Reddit, it is recommended to get a PIN from the mobile phone provider, which is necessary for all sim card changes. So far, there seem to be relatively few sim swaps by Ledger owners, though some are mentioned on Reddit.
But beyond the sim swaps lurks another threat that is even creepier: “Another issue is the fear of real attacks since the home address was also leaked,” someone wrote to me. “Here, I am still looking at how I can best protect myself and the family. Even if the probability is not very high.” Similarly, another person wrote: “I am much more worried [than the emails] about knowing that my address is also included. With family, it’s more of a headache.”
Mails are known from English-language forums in which the postal address is mentioned, and threats are made to receive an unpleasant visit if one does not pay a certain amount in Bitcoin. Such mails do not necessarily indicate a real danger, but they are very worrying.
So far, I am not aware of anyone in the German Bitcoin scene being threatened with violence because of the Ledger hack. My interlocutor mentioned above is not very worried about this: “There are more than 200,000 names in the database, and not every one of them is automatically rich. If someone is really criminal enough to go to someone’s home, they can go straight to a neighborhood where rich people live. I think a text message is sent quickly, but a visit — there’s a lot more inhibition.”
Still, of course, scam calls and spam emails become even more unpleasant when you know that those trying to rip you off also know where you live. Anyone who has moved since ordering a ledger will probably feel safer.
Many people rightly ask how this could happen. It is precisely a company like Ledger, which produces hardware wallets that separate the private keys from the internet at all costs — it is precisely such a hacked company. It is precisely at such a company that the hackers capture a database containing the complete customer data. Who, if not Ledger, should know how to protect itself from such an incident?
Anyone who thinks a little about the subject can think of dozens of ways this could have been prevented: Ledger could delete the private data after delivery. There is no reason why the company would still need the address and phone number now — if it ever did. And if the regulator or the tax office forces Ledger to keep the addresses , why doesn’t it store them offline, like Bitcoins’ private keys? Or why doesn’t Ledger at least encrypt them so that the key needed to decrypt them is offline?
The French company warns its customers about phishing emails and documents spam campaigns it is aware of. After initially being defensive about the hack, hoping it wouldn’t raise so much dust, it is now starting to act more transparently. It apologizes to customers, points out never to enter the seed anywhere, and warns against mails that look like they come from Ledger.
However, as far as I know, the company has not yet explained how it could happen that all the data was in a database connected to the network. It could be because Ledger does not use its own shop, but the third-party provider Shopify; last year, two Shopify employees stole the customer data of 200 online merchants.
This leads to a somewhat ironic, tragic situation. The maker of hardware wallets, which keep private keys away from the internet and any other party at all costs, entrusts its customers’ private data to an insecure third party. “I think the problem was,” says one of the people involved, “that Ledger saw itself as an online shop selling something, rather than a bank. Banks protect customer data as well as funds, so a hardware wallet retailer should do the same.”
The Ledger leaks could be a warning shot to the whole industry to stop treating customer data like other online shops. “Other vendors are responding to this now too, like ColdCard, they’re from Canada. They have to keep the email address, for example, but they will quickly delete the postal addresses and telephone numbers in the future. But the fact that they are only doing it now shows me that it could happen to them just as it did to Ledger.” Perhaps there is something good about the leaks — which is hardly a consolation for those affected.
I share more intimate thoughts in a monthly newsletter that you can check out here. Please let me know in a comment and join me on various social media platforms:
WHATEVER YOU DO, DO IT WITH LOVE AND PASSION!