Security Alert: Phishing Campaign Targets Ledger Users — What to Do

We are tracking a coordinated phishing campaign targeting hardware wallet users, specifically those using Ledger devices. Attackers are using spoofed firmware update pages and fake support agents to coax users into revealing seed phrases or approving malicious transactions. If you use a Ledger or any hardware wallet, follow this urgent guidance to secure your funds.

How the phishing works

There are two main vectors in this campaign:

1. Spoofed firmware update sites: Users receive links (often via email or social media) directing them to a site that mimics the official Ledger update page. The site prompts users to download and run a fake firmware tool that requests their seed phrase to "migrate" data — a bogus instruction. Never enter your seed phrase into any website or tool.
2. Impersonation via social platforms: Attackers DM users claiming to be customer support. They ask for screen shares or prompt users to reveal seed words under the guise of "verifying your device." Ledger support never asks for your seed phrase or private keys.

"If a site or support rep asks for your seed phrase, it is a scam — refuse and report immediately."

Immediate actions if you received a suspicious message

• Do not click any links in suspicious messages.
• Do not provide your seed phrase or private keys to anyone.
• Verify the sender’s identity on official channels: check @Ledger or your vendor's verified support pages.
• Clear your browser cache and avoid connecting your hardware wallet on untrusted computers.

What to do if you already revealed your seed phrase

If you've entered your seed phrase into a website or given it over during a call, assume the funds are compromised. Steps to take immediately:

1. Move funds: If you still have access, transfer remaining funds to a brand-new wallet generated with a different seed phrase on an offline, secure device. Use a hardware wallet purchased from a trusted source.
2. Freeze exchange accounts: If you used linked exchanges, contact them to flag accounts and request suspension of suspicious withdrawals.
3. Preserve evidence: Save logs, screenshots, and message threads to assist any law enforcement report you may file.

Recovery strategy and prevention

Recovery often requires moving funds quickly. Use a trusted, air-gapped setup if possible for generating new keys. For long-term prevention:

• Only update firmware from the vendor's official site and confirm firmware signatures when possible.
• Use a hardware wallet with verified firmware attestation flows.
• Never enter seed phrases into software or websites; the phrase should only be used for device recovery, preferably on offline hardware.
• Educate contacts and community members about this campaign to reduce its spread.

How to verify legitimate firmware and support

Legitimate vendors publish firmware checksums and instructions. Cross-check these via the vendor's official domain and social channels. For support, always use contact details from the product's verified website and avoid links sent on social media without verification.

Reporting the scam

Report phishing sites to the hosting provider, and report accounts to the social platforms. File a complaint with local cybercrime agencies if funds were stolen. The sooner you report, the higher the chance of takedown and possible mitigation of attacker activity.

Final recommendations

1. Never disclose seed phrases — ever.
2. Use hardware wallets and keep firmware updated from official sources.
3. Enable transaction review features to catch unexpected contract approvals.
4. Keep a small hot wallet for daily use and reserve the majority of funds in cold storage.

If you suspect compromise and need help with mitigation steps, our incident response team can provide a checklist and guidance on secure migration. Acting fast greatly improves outcomes.