• Home
  • /Learn
  • /Phishing and Data Theft: Lessons from the Ledger Phishing Scam
background image


Phishing and Data Theft: Lessons from the Ledger Phishing Scam


Headquartered in France, Ledger makes hardware cryptocurrency wallets that store private keys offline. The goal is to help users better control their crypto assets and make it difficult for hackers to access the key from online locations. The idea is great. But clever cybercriminals found a way to circumvent it.

In December 2020, Ledger discovered that bad actors had exposed 20,000 customer records, including names, email addresses, postal addresses, and phone numbers. Ledger estimated that 9,500 customers were affected. But later, CoinDesk, a crypto exchange, found that the data dump exposed 1 million customer email addresses, plus 272,000 names, mailing addresses and phone numbers. Moreover, the number of victims was much higher than the original estimate of 9,500.

Ledger has documented the entire timeline of this ongoing phishing campaign. As of this writing, Ledger’s website has a bold notice placed front and center on its home page: “Beware of ongoing phishing campaigns. Scammers are targeting Ledger customers!

Keep reading to learn how your organization can stay safe from Ledger-like phishing attacks.

What is Phishing?

In 2020, 75% of organizations around the world experienced a phishing attack. According to Verizon, phishing was the top “action variety” seen in breaches in 2020. Even the FBI says that phishing was the most common type of cybercrime in 2020. Phishing is now a pervasive and global problem – and Canada is not immune. Statistics Canada found that one-third of Canadians experienced a phishing attack in 2020. Further, the Canadian Anti-Fraud Centre lists phishing as one of the most prevalent scams linked to COVID-19.

Phishing is a type of social engineering attack that uses email as a weapon. Its purpose is to scam users out of data, e.g. their credentials to financial or other websites, credit card numbers, etc.

The attacker sends an email to a victim (or, in many cases, victims) while masquerading as a trusted entity such as a government organization or bank. They embed a malicious link or attachment within the email that, when opened, leads the victim to a malicious site where their data is stolen. In many cases, it may also lead to the auto-installation of malware or give the attacker control over the system. In the latter, they lock the system so the user can’t access their files or data. To unlock these assets, they demand a ransom from the victim.

A Clever Phishing Campaign: Ledger’s Story

The phishing campaign against Ledger customers was a multi-step attack. It started when scammers emailed users to encourage them to download a fake version of the Ledger Live app. The goal was to get them to enter their 24-word recovery phrase to give the scammer access to their crypto. Over the next several months, several other campaigns were also sent to get users to share their recovery phrases.

In other subsequent campaigns, scammers pretended to know customers’ addresses or claimed to have access to compromising pictures or sensitive data. They then demanded ransoms for not publishing these pictures or threatened to invade their homes. Later, emails were sent with fake website links to gather users’ recovery phrases. In January, scammers claimed that Ledger had authorized them to send new hardware wallets to customers. These wallets – accompanied by fake but genuine-looking letters and packaging – were designed to generate the user’s private keys and steal their crypto.

Ledger, Phishing and Lessons Learned for All Organizations

The Ledger phishing scam shows how scammers can cleverly and patiently steal data and compromise users on a massive scale. The event also clarifies several lessons that can help organizations protect themselves from phishing attacks.

For one, they should educate employees on why they must never click on links or download attachments in emails from unknown senders. The awareness campaign should also clarify what they should look out for and how they should respond if they suspect a scam.

However, people are usually the weakest link in any security setup, so it’s vital not to rely on them completely to thwart phishing attempts. It’s even more important to install proper tools and safeguards before such emails arrive in employees’ inboxes. These include:

  • Security software: Antivirus programs, spam filters, web filters and firewalls

  • Update all software with the latest patches

  • Continuously monitor the status of all software and equipment with SIEM, EDR and penetration testing.

  • Use strong encryption for VPN and other remote access tools

  • Schedule regular, automated data backups

  • Enforce strong password policies

  • Deploy multi-factor authentication

Here’s another Packetlabs article about how to prevent phishing attacks by updating DNS settings.

A Final Word

We hope you found value in this article. If you’re worried about your email security, Packetlabs can help. To know how our experts can assist you in protecting your brand, assets, people and data from phishing scammers, give us a call.