Yesterday, I received an email with the subject “Your Ledger Assets Might Be Vulnerable”. Since I do use a Ledger Nano to protect a small portion of my crypto portfolio (I still prefer paper wallets for cold storage), I decided to look into this email more. My first instinct was that this was a phishing email, and I’m glad that I was correct. With that in mind, I wanted to write this blog post in case anyone else may be wondering whether this email is legit or not.

The email I received can be found below.

Subject: Your Ledger assets might be vulnerable
From: noreply@ledger.com-client.email

Dear client,

We regret to inform you that Ledger has experienced a security breach affecting approximately 86,000 of our customers and that the wallet associated with your e-mail address is within those affected by the breach.

Namely, on Thursday, October 29th 2020, our forensics team has found several of the Ledger Live administrative servers to be infected with malware.

At this moment, it’s technically impossible to conclusively assess the severity and the scope of the data breach. Due to these circumstances, we must assume that your cryptocurrency assets are at risk of being stolen.

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. In order to protect your assets, please download the latest version of Ledger Live and follow the instructions to set up a new PIN for your wallet.

Sincerly, Ledger

Download Latest Version

I noticed a few weird things right off the bat.

  • The “from” email address was noreply@ledger.com-client.email. Notice the domain name TLD is .email. It looks like this email was sent from a ledger.com-client.email subdomain instead of the ledger.com domain.
  • “Sincerely” is spelled wrong.

I also tested the “Download Latest Version” link in a secure environment. The link redirected to a clone of Ledger’s software download page, and it actually looked pretty legit. After checking the URL of the page, I noticed it was lędger.com instead of ledger.com – notice the accent under the “e”. Very sneaky.

If you receive this email, delete it automatically and don’t click on any links. Most importantly, don’t fall for any of the software recommendations from the email.