Don't enter your recovery phrase! Phishers target Ledger crypto-wallet users

Don’t enter your recovery phrase! Phishers target Ledger crypto-wallet users

Ledger is one of the biggest hardware cryptocurrency walletsaround and scammers have noticed. Phishing mails are in circulation, hoping to snag Ledger users with a sneaky request for passphrases.

What is a Ledger recovery phrase?

A recovery phrase is an incredibly important combination of words that act as the literal keys to your digital crypto kingdom. The phrase is a human-readable version of a private key—a unique secret that must keep private, because it’s the cornerstone of the cryptography that says you own a crypto-someting rather than somebody else.

The Ledger recovery phrase also acts as a backup for everything in your hardware wallet, to the extent that if Ledger ceased operations, you’d still be able to access your crypto-assets via a compatible wallet service. As it put its:

When starting to use your Ledger hardware wallet, you will receive a random set of 24 words. This is also known as your Recovery Phrase. It’s a key element in using a hardware wallet and it must be kept secure and offline at all times.

As we can see, it’s critical to the wellbeing of your digital cash.

What’s the scam?

Phising emails are being sent that refer to a non-existent breach. The “solution” to this breach is to update the 24 word phrase as soon as possible and set up a new wallet PIN.

The mail reads:

If you’re receiving this e-mail, it’s because you’ve been affected by the breach. To protect your assets, please update your 24-Word Phrase and follow the instructions to set up a new PIN for your wallet.Sincerely, Support Team

The mail also provides a link to a website called “Ledgerphrase(dot)com”.

Should you visit the website without the userID included in the email, the page won’t resolve. If you follow any of the links directly from the email, you’ll be greeted with a passphrase update page that asks users to enter their 24-word passphrase:

Anyone progressing past this point is playing with fire and likely to lose all of their crypto-assets.

How to foil the phishers

Ledger has confirmed this is a phishing attempt:

It also provides a list of security measuresto ward off further attempts.

The most important thing to never, ever give anybody your 24 word passphrase. Only ever enter it on your device, and never hand it over to anyone claiming to need it or to websites requesting you enter it. Whether code converter websites, or apps, YouTube livestream giveaways, or even browser extensions claiming to be official products, the advice is still the same.

No matter which form of digital wallet you use, your recovery phrase is your last line of defence to keep bad people away from your funds.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.