The post Counterfeit Ledger Nano S+ Drains Wallets Across 20 Chains appeared on BitcoinEthereumNews.com.

A Brazil-based security researcher exposes a counterfeit Ledger Nano S+ operation using malicious firmware and fake apps to drain wallets across 20 blockchains. A Brazil-based security researcher has exposed one of the most sophisticated counterfeit Ledger Nano S+ operations ever documented. The fake device, sourced from a Chinese marketplace, carried custom malicious firmware and a cloned app. The attacker immediately stole every seed phrase that users entered. The researcher bought the device on suspicion of price irregularities. Upon opening it, the counterfeit nature was obvious. Instead of discarding it, a full teardown followed. What Was Hidden Inside the Chip The genuine Ledger Nano S+ uses an ST33 Secure Element chip. This device had an ESP32-S3 instead. The chip markings were physically sanded down to block identification. The firmware identified itself as “Ledger Nano S+ V2.1” — a version that does not exist. Investigators found seeds and PINs stored in plain text after conducting a memory dump. The firmware beaconed to a command-and-control server at kkkhhhnnn[.]com. Any seed phrase entered into this hardware was exfiltrated instantly. The device supports roughly 20 blockchains for wallet draining. That is not a minor operation. Five Attack Vectors, Not One The seller bundled a modified “Ledger Live” app with the device. The developers built the app with React Native using Hermes v96 and signed it with an Android Debug certificate. The attackers did not bother obtaining a legitimate signature. The app hooks into XState to intercept APDU commands. It uses stealthy XHR requests to pull data out silently. Investigators identified two additional command-and-control servers: s6s7smdxyzbsd7d7nsrx[.]icu and ysknfr[.]cn. This is not limited to Android. The same operation distributes a .EXE for Windows and a .DMG for macOS, resembling campaigns tracked by Moonlock under AMOS/JandiInstaller. An iOS TestFlight version also circulates, bypassing App Store review entirely —…

---

Filed under: News - @ April 18, 2026 2:27 am