Crypto hardware wallet firm Ledger detects desktop phishing malware

Ledger, the popular hardware cryptocurrency wallet, has detected a phishing malware that targets desktop users. The firm announced the discovery on Twitter, urging their users to be extra vigilant. The announcement read:

“WARNING: we’ve detected a malware that locally replaces the Ledger Live desktop application by a malicious one. Users of infected computers are asked to enter their 24-word recovery phrase after a fake update.”

Ledger further revealed that from its research, the malware was highly targeted, only infecting Windows machines. It had also not spread widely at the time of the announcement, only being detected on one computer. To be safe, Ledger users must not give their recovery phrase to anyone, the firm advised, “It cannot compromise your device or your crypto. It’s only a phishing attempt tricking you in entering your 24 words (never do that).”

Ledger assured its users that it has designed its wallets to withstand such attacks. They wrote, “Hardware wallets have been designed to protect crypto assets against this kind of attacks. Funds are safe unless users themselves give their recovery phrase to the hacker (through social trickery). Education of users is paramount to mitigate this.”

Previously, the Paris-based startup issued guidelines that its users must stick to to protect themselves from such an attack. In its blog post, it warned users against ever giving their 24-word recovery phrase to anyone, even the firm itself. This phrase is meant to enable a user to recover their cryptos in the case of loss or destruction of the physical wallet. It also enables the user to clone the wallet onto a new device, giving them more freedom.

Ledger users should also never store their recovery phrase on a computer or smartphone as hackers can easily compromise these devices.

The firm has been immensely successful and has been earmarked to become Europe’s first crypto unicorn. In 2017, the firm sold over one million devices, posting more than $25 million in profit. Its success has brought many investors on board including Samsung’s venture capital arm, Siemens, Boost VC and the Digital Currency Group.

The current malware isn’t the first time Ledger’s security has been called into question. Last year, a teen digital security expert, Saleem Rashid, reported on his blog that he had unearthed a critical flaw with Ledger’s wallet. According to Rashid, malicious actors could exploit the flaw to steal users’ crypto holdings. Ledger dismissed his claims, but went on to release an update.