SCAM ALERT — A Cautionary Tale on the Purchase of Cryptocurrency Wallets from Third Party Vendors
Recently, a Reddit user reported that after purchasing a new Ledger Nano S hardware wallet from a vendor on eBay that all the cryptocurrency he transferred to the unit was mysteriously lost. At first, thought it was a bug or maybe a glitch with the unit itself. Sadly, this was not the case. He was a victim of a scam. His story is worth retelling as lesson-learned for other cryptocurrency investors.
If you are familiar with hardware wallets, their use and the technology, you can skip down to the “Here is what happened” section. If you want to a brief overview of wallets and their relationship to digital currency, this next section is for you.
Wallet Overview
A wallet in the digital world, is nothing more than a place store a collection of keypairs. A keypair consists of a “public address or key” and a “private address or key.” Both of which are required to encrypt or sign data.
The public and private keys a unique and specific numbers, similar to a street address If a courier has to deliver you a package from Amazon, he/she must know your house/flat number to deliver it. To receive your package, you have a private address (or key) to unlock the mailbox and collect your package.
A private key is a secret, alphanumeric password/number used to send cryptocurrency, like XRP, to another XRP address. It is a randomly generated, unique 256-bit long number which generated upon creation of your wallet. This process on how this is done is well established and all wallet developers must follow the strict security protocol of the blockchain.
This what a Ripple private key looks like: ssWZ3kKf9zgWQpigidFA99MzPL6TsZYY98hWXMfsSzNydYXYB9BR
The public key is similar to the private key, is also an alphanumeric address/number and is derived from the private key using established cryptographic calculations. There is not a computer in existence that can easily reverse engineer the private key from which the public key was generated. In fact, allowing that you had access to the fastest computer in the world and the skills, properly guessing the private key would take billions of years!
The public key is, well… public. It can be shared with anyone and encrypts messages such that only the holder of the private key can decrypt them. The private key is also used to sign messages. Those holding your public key can verify and be assured that the message came from the person who signed the message. Every cryptocurrency (i.e. Bitcoin, Ripple, Litecoin, etc.) address contains a keypair. The public address is what you publish and send to others and the private/secret key stays in your wallet file.
So, what does this mean in terms of a cryptocurrency wallet? In a Hardware or Paper Wallet, this private/secret key is what is stored on the device or printed on the paper. A hardware-type device, like found in the Ledger Nano S, KeyKeep and Trezor, is disconnected from the Internet and only accessed via a USB cable to your computer when required. This is often called Cold Storage. Paper is similar — simply print out the private/secret key and file it away.
Caution: These importable keys can be made password protected and stored on a memory stick or hard drive. Safeguard them! If you lose the the private key, you will lose all access to your cryptocurrency. No one can help you retrieve them — they are GONE.
Blockchain Overview
The “blockchain” is a distributed database of transaction information that is constantly growing. The storing of transaction data is similar to the concept of storing the financial transactions of a company on an accounting ledger. Except in the case of blockchain, the ledger is not stored in one location, but copies of the ledger exists on all computers that are part of the network. To make it work, the blockchain is sent out to all nodes in the network. A send or receive transaction is distributed to the network and assuming the transaction is valid, will be included in the next “block.” This is where the coins themselves are “stored.” When a transaction is initiated, all prior transactions to or from that address are reviewed and a balance is calculated. If the transaction exceeds this available balance, it will be rejected by the network and will not be included in a block. So, you can’t spoof the network to initiate a bogus transaction to send 1 million XRP to a wallet if the sending wallet never contained that amount. The blockchain has a long memory and the transaction will be invalidated if the numbers don’t match what exists in the blockchain.
It’s also important to note that the blockchain technically doesn’t store “coins.” Technically, all it stores is transactional information. The coins themselves are not actual things that need storage. The pictures of XRP coins are just pictures as no actual coin or token exists. The do exist in the blockchain as bits and bites, flying around the Internet. When coins are sent from address A to address B, the blockchain subtracts from A’s balance and adds to B’s balance. This is similar to how money is sent from one bank account to another as physical money doesn’t actually move. All that happens is an entry is made in the ledgers of both banks confirming the “movement” of your money.
Okay, so now that we are caught up on what wallets are and how they relate to the blockchain, let’s continue with story…
Here is what happened
The user wanted a secure, off-line hardware wallet to store his keypairs. He chose a Ledger Nano S, one of the best in the market and very difficult to purchase due to demand. Probably thinking he was lucky at the time, he found one available for sale from seller on eBay. The vendor had good ratings and was selling a brand-new unit.
Here is a picture of the eBay ad:
To be fair, it is unknown at this time if the seller was an active participant in this scam or was unknowingly duped into selling these Ledger Nano S units. Giving him/her the benefit of the doubt, we’ll just say he purchased them from a middleman who executed the following devious and lucrative scam.
What Happened?
The Ledger Nano S arrived in a sealed box. It was purchased as a new-in-box product and it certainly looked that way to the buyer upon receipt.
After removing the plastic overwrap, he found slips of paper placed inside the box that, at first, looked like genuine instructions from Ledger, the manufacturer.
Here is a picture of the box and what was found inside:
Despite the fact that the footnote says “Thank you for using a ledger Product,” it appears to be legitimate instructions from Ledger. The key to the scam is in the third picture, Instruction Slip #2. To understand the importance of that picture requires a quick understanding of how to setup a Nano S.
To successfully setup a Nano S, you first need to connect the device to your computer and enter a 4 digit PIN. The PIN is required to enable to access the features and functions of the device. Once established, the Ledger will generate 24 random words (called a seed) that are used as a recovery phrase. Should something happen to the device, the recovery phrase can be used to rebuild the contents onto another device, acting as an effective and secure backup mechanism.
The remining steps require the user to download the apps required to use the wallet, transfer your cryptocurrency to your wallet, disconnect the device from your compute and for all intents and purposes, you have effectively and securely stored your information away from private eyes. Remember, the coins are not on the Nano S, only the Private Key. Once you executed a send transaction, the blockchain recorded the move of digital currency to your Nano S address, but they aren’t physically stored there, only the private key.
Now, the scammer somehow had access to the physical Nano S hardware prior to shipping. He/she entered a PIN code of “5555” and generate the seed. These 24 words were then written on the slip of paper in Picture #3. He/she then put a scratch-off sticker over the seed to give the allusion of authority and normalcy. In fact, what the scammer did was build in a back door such that when the user loaded the device up with over $33K worth of coins, the scammer used the seed to rebuild the private key of the device on his/her own Ledger Nano S. Once this was done, he/she now had full access to the hapless victim’s wallet and promptly transferred the contents to another wallet that he/she controls. Although the send transaction is clearly recorded in the blockchain, finding the address that the coins were sent to is difficult, if not impossible. More likely than not, those coins have been converted to fiat currency. It is clear from the eBay seller’s transaction history, other Nano S’s have been sold and it is probably that those Nano’s are similarly tainted.
There have been other scattered reports of similar issues with vendors on Amazon and eBay.
Ledger’s response is to stress that the devices should only be purchased directly from them or their authorized retailer.
Here is a list of Ledger authorized resellers.
Most cryptocurrency investors prefer to purchase directly from Ledger, avoiding setup scams as listed above or even those that can involve hardware/firmware tampering. The company is based in Paris, France so their pricing is based in Euros. As of 1/5/2018, pricing on their website now includes shipping and handling charges.
For maximum security and assurance of your purchase, you can use my referral link here to purchase your Ledger Nano S. I hope you found this information useful and thank you for your support!