A Ledger user reportedly lost about $1.07 million after receiving a fake physical letter impersonating Ledger Support and entering a recovery phrase on a phishing website.
The visible transfer shows roughly 1.071 million DAI moving out of the affected wallet, matching the loss figure circulating with the incident. The attacker did not need to break Ledger hardware or crack wallet cryptography. Once the victim entered the seed phrase, the wallet could be restored elsewhere and drained like any other compromised self-custody account.
The scam follows a pattern that has become more common in hardware-wallet phishing campaigns. Victims receive a realistic-looking letter, often using Ledger branding, urgent security language, a support-style reference number, or a QR code that points to a fake verification page. The page then asks for the recovery phrase, giving the attacker full wallet control.
Seed Phrase Theft Bypasses Hardware Wallet Protection
A hardware wallet protects private keys during normal signing, but it cannot protect funds after the recovery phrase is handed to a scam site. The recovery phrase recreates wallet access. Anyone who controls it can usually restore the wallet on another device and move assets without the original Ledger device.
Ledger users are already being targeted through physical phishing letters designed to steal recovery phrases. Ledger’s safety rule is direct: any request for a 24-word recovery phrase is fraudulent, whether it arrives through email, social media, a website, a QR code, a phone call, or a printed document.
The latest loss also fits a broader wave of Ledger-themed scams. A previous fake Ledger wallet scheme used counterfeit hardware to steal seed phrases and PINs, while other attacks have relied on fake Ledger Live apps, cloned websites, and urgent update warnings.
The Recovery Phrase Is The Wallet
The most damaging part of this attack is how simple it is. The victim does not need to sign a malicious smart contract, approve a token allowance, install malware, or connect to a DeFi app. Typing the seed phrase into the wrong site is enough.
That makes recovery-phrase hygiene more important than any single wallet brand. A seed phrase should be written offline, stored away from cameras and cloud accounts, and used only when restoring a wallet on a trusted device. It should never be typed into a website or shared with support staff. A safer understanding of private keys and seed phrases prevents the core mistake behind many high-value wallet drains.
Anyone who has entered a seed phrase into a suspicious site should treat the wallet as permanently compromised. Changing a password or removing a browser extension will not secure the funds. The safer response is to create a new wallet with a fresh recovery phrase on a clean device and move any remaining assets immediately.
This incident leaves one lesson for hardware-wallet users: the device is only part of the security model. The seed phrase is the master key, and a fake letter can defeat cold storage the moment the user types that phrase into a phishing page.
Be the first to comment