A cybersecurity researcher posting as “Past_Computer2901” on Reddit said that counterfeit Ledger Nano S Plus devices were being sold through Chinese e-commerce platforms, exposing users to a form of attack that begins before a wallet is even turned on. What makes the discovery especially alarming is the combination of physical tampering and malicious companion software, a pairing that can completely undermine the security assumptions behind hardware-based custody.
The timing added to the concern. The disclosure came only days after reports of a fake Ledger Live application that slipped through Apple’s App Store review process and was linked to roughly $9.5 million in losses from more than 50 victims. Taken together, the two incidents show a broader supply-chain and distribution problem in which attackers are no longer targeting only wallets or apps in isolation, but the entire path users follow from purchase to setup.
The Devices Were Built to Look Real and Behave Dishonestly
According to the researcher’s analysis, the fake devices were convincing on the outside but compromised at both the hardware and firmware level. The secure element used in authentic Ledger products had reportedly been replaced with general-purpose chips identified as ESP32-S3 units, and some components had their markings intentionally scraped. In certain devices, investigators also found hidden Wi-Fi and Bluetooth antennas, indicating the counterfeit units were designed for covert communication rather than secure offline storage.
The firmware made the threat even more direct. It allegedly stored sensitive information such as PINs and recovery phrases in plaintext and was built to transmit that data back to attacker-controlled servers. That means the compromise did not depend on a later phishing step alone; the theft mechanism was already embedded inside the device itself, waiting for the user to trust it.
The Fake Software Completed the Trap
Packaging reportedly included QR codes that sent buyers to cloned websites imitating ledger.com, where victims were offered trojanized versions of Ledger Live for Android, iOS, Windows and macOS. Those counterfeit apps displayed a hardcoded “Genuine Check” success screen, giving users false assurance while quietly harvesting recovery phrases. In effect, the fake device and the fake app were engineered to validate each other, creating a closed-loop deception that was difficult for an average user to spot.
The practical result was total asset loss for anyone who initialized the device or entered a recovery phrase into one of the malicious applications. That outcome is what makes the incident more than a counterfeit-product story. It shows how hardware wallet security can collapse completely when procurement and software verification fail at the same time.
Security Now Starts With Procurement
The lesson for users is increasingly operational. Security professionals and Ledger representatives have stressed that devices should only be purchased from official sources such as ledger.com or clearly authorized resellers, and that any wallet arriving preconfigured or accompanied by written recovery phrases should be treated as compromised immediately. At the same time, users should never enter a seed phrase into any application and should rely only on the official Ledger Live workflow for verification. In this environment, the source of the device is now part of the security model, not a separate commercial detail.
Platform operators, wallet makers and app distributors are under growing pressure to strengthen reseller controls, improve store-review processes and reduce the likelihood that counterfeit supply can reach end users through mainstream channels. For both retail and professional holders, recovery phrases have once again proven to be the single point of catastrophic failure whenever devices or companion apps cannot be cryptographically trusted.