Sophisticated Supply Chain Attack Targets Crypto Users with Counterfeit Ledger Wallets A Brazilian cybersecurity researcher uncovered a large-scale supply chain scam involving counterfeit Ledger Nano S Plus hardware wallets sold on a Chinese marketplace. The fake devices, designed to drain cryptocurrency across 20 blockchains, were engineered with tampered hardware, trojanized software, and cross-platform malware creating a seamless phishing pipeline. The researcher, u/Past_Computer2901, purchased the device at the same price as the official Ledger store, with packaging that appeared authentic. Suspicion arose only after the device failed Ledger’s Genuine Check when connected to a legitimate Ledger Live installation. A physical teardown revealed the original secure element chip had been replaced with an ESP32-S3 microcontroller, a generic IoT component from Espressif Systems, with its markings scraped off to avoid detection. The counterfeit device also included a WiFi/Bluetooth antenna, absent in genuine Ledger wallets. Firmware analysis exposed the full extent of the compromise: every PIN entry and seed phrase was stored in plaintext and transmitted to attacker-controlled command-and-control (C2) servers, including the domain kkkhhhnnn[.]com. The fake firmware, labeled "Nano S+ V2.1" a version that doesn’t exist in Ledger’s official releases was designed to impersonate a legitimate update. The scam extended beyond the hardware. The counterfeit device shipped with a QR code directing users to a cloned phishing site, where they downloaded a trojanized Ledger Live app. The fake app bypassed security warnings with a hardcoded "Genuine Check" that always returned a success screen, ensuring victims remained unaware of the breach. The malware also exfiltrated wallet data upon use and was distributed across Android, Windows, macOS, and iOS, with the iOS variant spread via Apple’s TestFlight to evade App Store reviews. Infrastructure analysis linked the operation to a Shanghai-based shell company, with three C2 servers, a cloned website, and a QR code redirect chain. While Ledger’s official Genuine Check can detect the counterfeit device, the scam’s success relied on victims never using the legitimate Ledger Live app. The researcher submitted a full technical report to Ledger’s security team, with further analysis pending. The attack has already resulted in confirmed financial losses exceeding $9.5 million across more than 50 victims, marking one of the most advanced hardware wallet supply chain attacks documented to date.

New "Hologram" Infostealer Campaign Targets Crypto Wallets and Password Managers via Fake OpenClaw Installer A sophisticated infostealer campaign, dubbed "Hologram," has been active since at least February 2026, targeting sensitive data stored in 250+ browser extensions tied to crypto wallets and password managers. The malware spreads via a fake installer for OpenClaw, a legitimate open-source AI assistant, hosted on a convincing typosquat domain (openclaw-installer[.]com), registered on March 9, 2026. ### How the Attack Works 1. Initial Infection - Victims download OpenClaw_x64[.]7z, a 130MB Rust-based executable padded with fake documentation to evade antivirus scans and bypass sandbox upload limits. - The dropper, named "Hologram" in its manifest, performs anti-analysis checks, including: - Scanning for virtual machine BIOS strings and suspicious software libraries. - Waiting for real mouse movement (automated sandboxes don’t trigger this). - If checks pass, it disables Windows Defender, opens firewall ports, and downloads six modular components from an attacker-controlled Azure DevOps repository. 2. Credential Theft & Persistence - The malware fetches a dynamic targeting list (hosted on Azure DevOps) covering: - 201 crypto wallets (MetaMask, Phantom, Coinbase, Ledger Live, etc.). - 49 password managers/authenticators (Bitwarden, LastPass, 1Password, Google Authenticator, etc.). - The list is remotely updatable, allowing attackers to expand targets without recompiling the malware. - Persistence mechanisms include: - Registry autoruns. - Windows logon hijacking. - Scheduled tasks. - Telegram-based droppers that survive even if the main implant is removed. 3. Evasive Infrastructure - Command-and-control (C2) servers are never hardcoded instead, the malware retrieves them from Telegram channel descriptions, allowing rapid rotation if domains are blocked. - Victim data (usernames, IPs, timestamps) is routed through Hookdeck, a legitimate webhook relay service, obscuring the attacker’s backend. - Researchers observed infrastructure rotation during analysis, with domains and IPs changing before findings were published. ### Key Indicators of Compromise (IoCs) - File Hashes: Multiple Rust-based droppers (e.g., `OpenClaw_x64[.]exe`, `svc_service[.]exe`) and secondary payloads (e.g., `onedrive_sync[.]exe`, `WinHealhCare[.]exe`). - Domains: - `openclaw-installer[.]com` (delivery). - `hkdk.events` (C2 relay via Hookdeck). - `dev.azure.com/sagonbretzpr` (payload staging). - Hijacked Brazilian law firm domain (`frr.rubensbruno.adv.br`) and others. - IPs: `193.202.84.14`, `45.55.35.48`, `188.114.97.3` (C2 beacons). - Registry Keys & Paths: - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` (logon hijack). - `C:\Users\Public\` (stage-2 binary drop location). - `%APPDATA%\Ledger Live` (targeted for wallet theft). ### Why This Campaign Stands Out - Advanced Evasion: Uses Rust-based malware, in-memory .NET assembly loading (via `clroxide`), and Telegram for C2 rotation. - Dynamic Targeting: The remote Git repository allows attackers to silently expand their target list without detection. - Persistence: Multiple layers of registry, scheduled tasks, and Telegram-based backdoors ensure long-term access. Researchers at Netskope Threat Labs identified this as a second, more advanced iteration of the campaign, following an earlier variant. The attack highlights the growing sophistication of infostealers, particularly in crypto and credential theft.

Ledger Customers Exposed in Third-Party Payment Processor Breach Hardware wallet provider Ledger is addressing a data exposure incident tied to its third-party payment processor, Global-e. The breach, first reported by blockchain investigator ZachXBT on X, involved unauthorized access to Ledger users' personal details—including names and contact information—stored in Global-e’s cloud system. Global-e detected the suspicious activity and launched an investigation, confirming that an unauthorized party accessed customer order data. While the exact number of affected users and the timeline of the breach remain undisclosed, forensic experts verified the improper access. The company stated that payment information was not compromised. Ledger clarified that the incident occurred at Global-e, not within its own systems, and emphasized that no hardware, software, or cryptocurrency-related data—such as seed phrases or wallet balances—was exposed. As the data controller, Global-e issued notifications to impacted customers. The breach also affected other brands using Global-e’s services, as the compromised cloud system contained order data from multiple retailers. This is not Ledger’s first security incident. In 2020, a breach via e-commerce partner Shopify exposed data from 270,000 customers, and in 2023, a hack resulted in nearly $500,000 in losses for decentralized finance applications. Ledger has stated it is collaborating with Global-e to provide updates to affected users.

The Nova Stealer malware campaign targets macOS users by replacing legitimate Ledger Live and Trezor Suite cryptocurrency wallet applications with malicious counterparts. The attack begins with a dropper downloading a shell script (`mdriversinstall.sh`) from a C2 server, establishing persistence via a hidden directory (`~/.mdrivers`) and a LaunchAgent (`application.com.artificialintelligence`). The malware operates stealthily using detached `screen` sessions, ensuring survival across reboots.Key modules include:- `mdriversfiles.sh`: Exfiltrates wallet data (e.g., Trezor’s `IndexedDB`, Exodus’ `passphrase.json`, Ledger’s `app.json`).- `mdriversswaps.sh`: Replaces genuine wallet apps with unsigned FAT Mach-O executables (Swift-based) that render phishing pages (`wheelchairmoments[.]com`, `sunrisefootball[.]com`). These pages use BIP-39/SLIP-39 validation to harvest recovery phrases (12–33 words) via keystroke logging (200–400ms debounce) and real-time tracking (`/track` endpoints).- `mdriversmetrics.sh`: Conducts system reconnaissance (installed apps, processes).Victims unknowingly interact with counterfeit apps (registered in Dock via `PlistBuddy`), leading to full compromise of cryptocurrency assets. The modular design allows remote updates, extending the campaign’s lifespan while evading static detection. The attack focuses on high-value targets (crypto users), with potential for mass financial loss and irreversible asset theft due to exposed recovery phrases.

CIRO Data Breach Exposes Personal Information of 750,000 Individuals The Canadian Investment Regulatory Organization (CIRO) disclosed a data breach on August 18, 2025, revealing that hackers accessed the personal information of approximately 750,000 individuals in an August cyberattack. The breach stemmed from a sophisticated phishing incident, which led to temporary system shutdowns, though CIRO confirmed its critical regulatory functions remained unaffected. According to CIRO, the compromised data includes sensitive details such as annual income, dates of birth, government-issued ID numbers, phone numbers, investment account numbers, social insurance numbers, and account statements information collected during routine regulatory and compliance activities. The organization clarified that passwords, PINs, and security questions were not exposed, as CIRO does not store such data. While CIRO reported no evidence of data misuse or dark web exposure, it continues to monitor for malicious activity. Impacted individuals clients and former clients of CIRO dealer members are being notified and offered two years of free credit monitoring and identity theft protection services. An FAQ page has also been published to provide further details. CIRO, a pan-Canadian self-regulatory body overseeing investment and mutual fund dealers, stated that the incident is contained with no active threat remaining in its environment. The breach follows a series of recent cybersecurity incidents affecting financial and healthcare sectors globally.

In January 2025, Ledger, a Paris-based crypto-wallet vendor, fell victim to a Violence-as-a-Service (VaaS) attack orchestrated by Russia-linked groups Renaissance Spider and The Com. The co-founder of Ledger was kidnapped in France as part of an extortion scheme tied to cryptocurrency theft. The attack was executed via Telegram-coordinated networks, leveraging physical violence, arson threats, and ransom demands. This incident was among 17 recorded VaaS attacks since January 2024, with 13 occurring in France alone, prompting Europol to establish a dedicated taskforce to counter the escalating threat. The attack not only endangered the executive’s life but also exposed Ledger to reputational damage, operational disruption, and potential financial losses due to ransom pressures. The incident underscores the convergence of cyber extortion and physical violence, targeting high-profile individuals in the crypto sector to exploit digital and real-world vulnerabilities.

The Ledger Connect Kit software of the Paris-based business was compromised by a phishing attempt targeting a former worker. During transactions using decentralised applications, or dapps, that utilised the compromised software, the hacker released malicious code that routed user funds to their own wallet.

Major cryptocurrency hardware wallet provider Ledger experienced a data breach. The company said it was made aware of the breach on July 14 when a researcher participating in its bounty program reached out with details of a potential vulnerability on their website. While they were able to fix the breach immediately, a further investigation found that an authorized third party carried out a similar action on June 25. The individual used an API key to access the marketing and e-commerce database the company used to send promotional emails. This compromised the email addresses of almost one million people. For a subset of 9,500 customers, details such as first and last name, postal address, and phone number were also exposed.