Remember: ONLY Buy Cryptocurrency Hardware Wallets from Verified Sellers
The order backlogs for hardware wallet companies like TREZOR and Ledger are usually extensive, so many cryptocurrency investors turn to re-sellers like My Hardware Wallet to get their hardware wallets faster.
Unfortunately, some people get too impatient and turn to re-selling websites like eBay to pick up a TREZOR One or a Ledger Nano S. And doing so is a huge security risk.
That’s because online, peer-to-peer (P2P) re-sellers don’t have to pass the affiliate standards that a company like My Hardware Wallet has to meet in order to do business with Ledger, for example.
That means anyone can start re-selling cryptocurrency hardware wallets on eBay: the good, the bad, and the outright scammers. And make no mistake, scammers have already nabbed victims.
One Redditor, u/moodyrocket, just found this tragic reality out the hard way. That’s because he purchased a Nano S from what appeared to be a reputable eBay seller, only to have £25,000 worth of Ripple (XRP) stolen from the device as the “seller” maintained access to the device’s true 24-word recovery seed.
Now, to be clear, the Ledger Nano S wasn’t hacked or compromised in any technical way; its digital security is and remains enterprise-grade.
Rather, the scammer “socially hacked” the buyer. The scammer initialized the Nano S in question, kept the original recovery seed, and then re-sold it without re-initializing the device. The wallet was still “primed,” as it were.
The conman then printed out a scratch-off recovery sheet that already had the compromised password on it – the opposite of what should’ve happened, as authentic Ledger hardware wallets ship with a blank recovery sheet for users to fill out themselves.
The buyer missed all the red flags, and then transferred over his personal holdings. Not long afterwards, he checked his wallet again only to find his investments had been drained. £25,000 worth of XRP at the time of the theft and then some.
A devastating turn of events, right. Luckily for the Redditor affected, the scammer used eBay, so it’s likely possible to track down the thief’s identity (unless the thief purchased an old, non-related sellers account on the site).
And, even more unlikely, the attacker has seemingly gotten spooked, as u/moodyrocket has since released an update saying his XRP had been returned to his Ledger. The only problem? He still can’t access his funds, in that the 24-recovery seed he’s been given doesn’t match the original seed the scammer still possesses.
The grand takeaway here, then? Avoid going through a similar nightmare by ensuring you buy your hardware wallets from verifiable, reputable sellers.
Another two points to consider:
Thanks to the ordeal illustrated above, you know you’re dealing with a compromised device if you receive a scratch-off style, already filled-in recovery sheet. Firstly, DO NOT use the device if you encounter a scratch-off.
Secondly, the buyer above would’ve known something wasn’t right if he’d watched Ledger Nano S initialization guides online. If you’re buying your first hardware wallet, we recommend you find a reputable video tutorial and make sure everything in your box looks just the same. Posted by Myhardwarewallet on January 25, 2018 in Crypto, Hardware wallets, Ledger, Security, Trezor