Phishing campaign targets Ledger customers
Ledger users are facing a targeted phishing campaign that’s exploiting a recent data breach. The attack started after Ledger’s third-party e-commerce partner, Global-e, suffered a security incident that exposed customer information. Names, email addresses, phone numbers, and order details were all compromised.
What makes this situation particularly concerning is how quickly the attackers moved. Almost immediately after the breach became public, affected users began receiving phishing emails. These messages claimed that Ledger and Trezor—two competing hardware wallet manufacturers—had merged. It’s a clever tactic, really, playing on users’ trust in established brands.
How the scam works
The fake emails look surprisingly professional. They talk about “strategic discussions” and a “landmark partnership” between the two companies. The language sounds corporate and convincing, which is probably why some people might fall for it.
The real danger comes from what the emails ask users to do. They instruct recipients to “migrate” their wallets by entering their 24-word recovery phrases on a fake website. This is the exact information that gives attackers complete control over someone’s cryptocurrency holdings. Once they have those seed phrases, they can drain wallets completely.
Global-e has launched an internal investigation, working with cybersecurity experts to understand the full scope of the breach. They haven’t disclosed exactly how many users were affected, but they’ve confirmed it was limited to contact and order information. Ledger has notified data protection authorities and is cooperating with law enforcement.
A recurring problem
This isn’t the first time Ledger has dealt with security issues. Back in 2020, attackers accessed their e-commerce and marketing databases, exposing personal information of hundreds of thousands of users. That data leak led to similar phishing campaigns and even threats against affected individuals.
At the time, Ledger faced criticism for how slowly they disclosed the breach and for what many considered inadequate security measures. A lawsuit was filed against them and Shopify, their e-commerce platform partner. It turned out a rogue Shopify employee was responsible for leaking about 20,000 customer records.
Later that same year, another incident occurred where data of approximately 292,000 customers was published online. And more recently, there was a separate security issue where about $600,000 in cryptocurrency was stolen after a wallet drainer was inserted into a library used by multiple decentralized applications.
What users should know
For Ledger users, the key takeaway is simple: never enter your recovery phrase anywhere online. Legitimate companies will never ask for this information. If you receive an email about a merger or any other major change, verify it through official channels before taking any action.
It’s frustrating, I think, that these breaches keep happening. Users put their trust in hardware wallets specifically for security, and when third-party partners get compromised, that trust gets eroded. The phishing emails are getting more sophisticated too, which makes them harder to spot.
Perhaps the broader lesson here is about the security of the entire ecosystem, not just the hardware itself. Third-party partners, e-commerce platforms, marketing databases—they all represent potential weak points. When one link in the chain breaks, it affects everyone downstream.
Users should remain vigilant, especially if they were affected by the Global-e breach. Check your email carefully, look for official communications through Ledger’s verified channels, and remember that no legitimate company will ever ask for your seed phrase.
