Chrome extension cons cryptocurrency users out of hardware wallet key

Cryptocurrency security company Ledger has warned users about a rogue Chrome extension that dupes its victims into giving up the keys to their crypto wallets.

Cryptocurrency owners need a wallet just like users of regular cash do. Instead of cash, however, crypto wallets hold digital keys – which grant users access to the blockchain addresses to unlock their funds. Some people write those addresses down on a piece of paper, while others might store them in a file on their computer or in a software application that doubles as a wallet. A hardware wallet is a device dedicated to storing the addresses, and they are built to be as difficult to hack as possible.

Launched in 2014, Ledger claims to have sold over 1.5m hardware wallets. There are two available: the Nano S and the Nano X. Both of them connect to an app called Ledger Live that lets users check balances and send and receive coins and tokens.

The app doesn’t contain a user’s private key. Instead, it accesses it from the hardware wallet when the owner wants to manage their crypto assets. To do this, the user connects the hardware wallet device to the app, which is available on Android and iOS, and also as desktop software.

This week, it emerged that a rogue developer published what they said was a Chrome extension version of Ledger Live on the Chrome store. The extension claimed to let Ledger owners use their hardware wallets to access Ledger Live’s functionality directly within Google’s Chrome browser. All they had to do was enter their Ledger wallet’s seed phrase – a string of 24 words that is the only way to recover their private keys if their wallet is damaged or lost.

The Chrome extension was a scam that copied the seed phrase to a Google form. The author could use it to access all the victim’s private keys and take control of their crypto assets using another Ledger wallet.

Ledger warned people of the scam through its support Twitter account yesterday:

This isn’t Ledger’s fault. It’s the app equivalent of phishing, where someone creates a malicious site in a legitimate company’s name and uses it to gather sensitive customer information without the real company having anything to do with it.

On its security support page, Ledger explicitly advises customers not to give up their recovery phrase:

Anyone who gets your recovery phrase can take your crypto assets. Ledger does not store your private keys, nor ever asks for it.

According to ZDNet, over 120 Ledger Live users apparently took the bait. The offending app had been taken down by yesterday afternoon, but this reinforces the need for proper user education about cryptocurrency security and the importance of never giving up your seed phrase.

Companies can produce slick hardware solutions that do everything possible to protect customers, but if users are gullible and willingly enter sensitive information into malicious software from a third party, there’s very little the company can do about it.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.