On January 6, 2017, a Reddit user posted an image to the bitcoin subforum containing a scratch-off card titled “Ledger recovery sheet” claiming that it was responsible for the loss of £25,000 ($33,860) worth of digital currency. According to another Reddit thread, where the image originally came from, the sheet was shipped alongside a Ledger Nano S hardware wallet that had been purchased from a seller on eBay.
A legitimate Ledger Nano S comes with a blank sheet of paper and not a scratch-off card as displayed in the image. This is because the 24-word seed is generated on the device itself and not at the time of production or packaging of the device. Thus, the only explanation, in this case, is that the eBay seller knowingly repackaged the wallet after initializing it, keeping a copy of the generated words and finally, adding a scratch-off card containing the seed.
When the victim received the hardware wallet, he did not suspect anything as the package was sealed. He innocuously transferred various cryptocurrencies to the compromised wallet, worth around £25,000 ($33,860) in total. However, a few weeks later, the device showed that the funds had disappeared. He only realized that he had been scammed when comments on Reddit pointed out that the scratch card was not an official inclusion.
Even though the incident in question is far from the first reported instance of cryptocurrency fraud, it was quite elegantly executed. Since purchasers of hardware wallets typically have a considerable stake in digital currencies, the individuals that conceived of this fraud could have made significant profits off the misfortune of even as little as one or two individuals.
Cryptocurrency fraud and scams of this nature are an alarming reminder for users to verify the authenticity of the software and hardware that they use to store any amount of digital currency within.
It is also pertinent to note that software wallets, even well-established ones such as Bitcoin Core and Electrum, are not invulnerable to such scams. In the event that a user downloads their software wallet from a compromised server or dubious source, it is possible that the file may contain embedded malware or other modifications designed specifically to either steal the victim’s private keys or the cryptocurrency eventually transferred to that wallet.
Therefore, to safeguard users against software wallets that have been tampered and modified, it is typically recommended that the program only be downloaded directly from the developer’s official website. Furthermore, before actually launching the downloaded executable file, the user should verify its integrity by first computing its PGP signature and then, compare it against the signature provided by the developer. In the case of Electrum, a popular bitcoin software wallet, one can obtain these signatures on the same webpage that contains the links to download the program.
Hardware wallets do not come with the same caveat nor do they have the same potential to be compromised. After all, one of the main selling points of these devices is that they can be securely used even if connected to a virus-laden computer. However, it is of utmost importance, especially in light of the scam mentioned above, that hardware wallets be directly purchased, either from the manufacturer’s website or an official retail channel.
At the time of writing, the CEO and CTO of Ledger have both reached out to the victim from the original Reddit thread and have publicly commented that they will assist him in lodging a formal criminal complaint against the eBay seller.