A large quantity of highly-sensitive data of more than one million customers of leading cryptocurrency hardware wallet producer Ledger is now readily available to the public.
A user on a hacking forum reuploaded the data stolen from Ledger’s servers. The leaker claimed that he saw the same data being sold for five bitcoins—currently well over $100,000—which angered some other sketchy users.
One of them called him a “braindead monkey” and explained his frustration: “People are buying this for nearly 6 figs rn and you just leak it like this.”
One of the two files contains more than one million email addresses of users subscribed to the firm’s newsletter. This data could be used for a large-scale phishing attack targeting crypto users—most of whom are expected to also own Ledger devices.
The content of the second file is much more unsettling. This document contains all the data of nearly 273,000 orders—including full name, physical address, email address, and phone number. This data could be used for more advanced scams or the basis for an identity theft (which in most cases would require more user data.)
Worryingly, it also gives criminals the home addresses of people who own enough cryptocurrency to justify spending $60 to $120 on a hardware wallet.
The firm itself warns its users to beware of ongoing phishing campaigns against its customers, noting that it has documented and reported more than 170 phishing sites.
But, one of the most recent emails documented highlights the real danger. It read:
“Scammers pretend to know your address and demand a ransom to not invade your home. As you can see these are ‘generic’ threatening emails playing on your fear to steal your crypto assets.”
Real addresses, real danger
Twitter user OMGBTC published an analysis of where the customers that saw their order data leaked are located on Dec. 20. According to his tweet, more than 91,000 customers are located in the United States, 23,000 in Germany, 21,000 in the United Kingdom, 16,000 in France, 12,000 in Canada, and 11,000 in Australia. OMGBTC warned:
“This is a massive headache for anyone that is on this list. Doing a filter via ZIP code was able to find 50-100 people within a 30-mile radius.”
Hudson Rock cybercrime intelligence firm CTO Alon Gal warned in a tweet:
“This leak holds major risk to the people affected by it!”
Noting that Ledger buyers are likely to have crypto holdings worth a lot of money, he warned, they “will now be subject to both cyber harassments as well as physical harassments in a larger scale than experienced before.”
It’s not a theoretical threat. In 2017, Reuters reported that Pavel Lerner, a Ukraine-based employee of a U.K.-based cryptocurrency exchange was kidnapped by gunmen and only freed after a $1 million ransom was paid. And earlier this year, a Singaporean businessman was kidnapped and tortured until he turned over nearly $750,000 in bitcoins, the South China Morning Post reported on Jan. 14.
In response to a Ledger twitter threat apologizing for the hack, user @Wonderi04984307 asked: “Um, so do criminals have my home address ? What the hell ? Are they going to start coming to peoples houses to find their ledger device? Like wtf man.”
User @paul_smith2000 was more blunt:
He also posted a more tongue-in-cheek comment:
Ledger accused of irresponsible conduct
The current leaker expressed frustration with Ledger over the data leak. He claimed that the company did not take full responsibility for the data breach that it suffered this summer and lied telling users that their data was not affected. He explained—with colorful language—and pointed out the contrast between the firm’s conduct and the philosophy behind Bitcoin:
He said the firm was “telling people with a target on their back in support requests that they were not affected in this data breach yet they actually were. So not only they lied about the amount of leaked information, they were still lying about it even after. Reminder: Bitcoin meant to increase privacy, but seems like one of the largest and “secure” bitcoin players don’t [care] about the way they store data.”
Ledger adds credibility to the claim that this is the data stolen in the hack that the company suffered in June. In a Dec. 20 Twitter thread, the firm notes that “early signs tell” it “that this indeed could be the contents of our e-commerce database from June, 2020.”
Multiple users claimed that the company lied after the situation and to be receiving phishing attempts multiple times a day, with one angry user answering:
“Thanks for lying to me through support about my information not being included in the data leak, only for me to discover I actually was a part of this months after…”
This is not the first data leak that severely affected members of the cryptocurrency community. As Modern Consensus reported in late August of last year, Binance compensated the 60,000 customers who saw their documents be leaked with lifetime VIP status — which brings a 10% discount on trading fees.