The "firmware update" email
March 2025. A holder in Seattle receives an email from support@ledger-security.com with the subject "Critical security patch — action required within 24 hours." The email is well-formatted, includes the Ledger logo, references the 2020 customer-data breach (which is public information), and links to a "firmware update tool." The tool asks for the 24-word recovery phrase to "verify device ownership before patching."
The phrase goes in. Within 40 minutes, the wallet is drained.
The four-year tail of the Ledger leak
In 2020, a Ledger marketing database was breached. Roughly 270,000 customer email addresses, names, and physical addresses leaked. Five years later, those addresses are still being sold on underground markets, and scammers still send targeted phishing emails to that list. If you bought a Ledger before 2021 from the official store, assume your address and email are on it.
The three rules Ledger states explicitly
- Ledger Live never asks for your 24 words on a screen. The seed phrase is entered only on the device itself, using the device buttons. Any computer screen, browser tab, or email link asking for those words is a scam, 100% of the time.
- Firmware updates happen inside Ledger Live. Not via an email link. Not via a downloaded tool. Open Ledger Live, go to Manager, and updates appear automatically.
- Ledger does not email you with security urgency. Marketing emails, yes. "Patch in 24 hours or your funds are at risk" emails, never.
What the email actually wants
The phishing site is a clone of ledger.com with one character difference in the domain — ledger-security.com, ledger-live-app.com, ledgerwallet-support.com. Hover before clicking. If the domain is not exactly ledger.com, it is a scam.
What I do with these emails
Report to reportphishing@apwg.org, then to Ledger's own phishing report address (phishing@ledger.fr), then delete. Do not click "unsubscribe" — that just confirms the address is live.