TLDR:Counterfeit Ledger Nano S Plus devices use ESP32 chips to steal seeds and PINs in plain text format.A fake Ledger Live app passed Mac App Store review and drained over $9.5 million from 50+ victims.The fraud spans five attack vectors including Android, iOS, Windows, macOS, and physical hardware.Ledger’s genuine check feature fails when hardware is compromised at the supply chain source level.Counterfeit Ledger hardware wallets are at the center of a growing threat targeting cryptocurrency users worldwide. A security researcher has documented a large-scale operation distributing fake Ledger Nano S Plus devices through multiple online marketplaces. The compromised units appear identical to legitimate products but carry entirely different internal hardware. Seeds, PINs, and wallet data are being sent directly to attacker-controlled servers, draining any wallet initialized on the device.Fake Hardware Hides Malicious Chips and FirmwareThe counterfeit devices replace Ledger’s secure element chip with an ESP32 microcontroller. This substitute chip runs modified firmware labeled “Nano S+ V2 1.” Unlike the genuine secure element, this hardware stores sensitive data in plain text. That data is then transmitted to remote servers controlled by the attackers behind the operation.Beyond the hardware, the campaign also distributes a fraudulent version of Ledger Live. This fake app is built with React Native and signed using a debug certificate. It intercepts transactions and sends sensitive user data to multiple command-and-control servers. Users downloading this version have no visible indication that anything is wrong.The attack spans five separate vectors: compromised hardware, Android APKs, Windows executables, macOS installers, and iOS apps.A security researcher just documented a large-scale counterfeit Ledger Nano S Plus operation selling compromised devices across multiple online marketplaces.The fake units look identical to the real thing but contain completely different hardware. Instead of Ledger's secure… pic.twitter.com/6ZfP9pJkUU— TFTC (@TFTC21) April 16, 2026The iOS distribution uses Apple’s TestFlight platform to bypass the standard App Store review process. This approach allows the fraudulent software to reach users without triggering typical security checks. Each channel serves as an independent entry point for the same underlying scam.Ledger’s built-in genuine check feature is designed to verify device authenticity. However, that verification process can be bypassed when the hardware is tampered with at the source. This makes the point of purchase a critical security variable. Buying from unauthorized sellers removes the only reliable layer of hardware-level verification.Separate Mac App Store Fraud Drained Over $9.5 MillionSeparately, on-chain investigator ZachXBT documented another fake Ledger Live app that passed through Apple’s Mac App Store review. That operation alone drained more than $9.5 million from over 50 victims. Among those affected was musician G. Love, who lost 5.92 BTC after entering his recovery phrase into the fraudulent application. The app presented itself as the legitimate Ledger companion software.These two operations together show a clear pattern in how attackers are targeting hardware wallet users. Rather than exploiting firmware vulnerabilities, they are intercepting users before they reach a genuine device. The fraud happens at the distribution level, not the protocol level. This shift makes user behavior and purchase source more important than ever.Security best practices remain unchanged despite the evolving tactics. Hardware wallets should only be purchased directly from the manufacturer’s official website. No legitimate wallet software will ever request a 24-word recovery phrase on screen. Any application asking for seed phrase input is running a scam, without exception.The broader message from both incidents is straightforward. The hardware itself remains secure when obtained through proper channels. The vulnerability now lives in the supply chain and software distribution ecosystem. Staying safe requires equal attention to both where a device is bought and how companion software is sourced.The post Counterfeit Ledger Devices Found Draining Crypto Wallets Through Supply Chain Fraud appeared first on Blockonomi.