The "free upgrade" email that arrived by mail

July 2024. A Ledger customer in San Francisco receives a physical letter — addressed correctly, with Ledger branding — informing him that his Nano X is being replaced under a "free security upgrade program" due to the 2020 data leak. Two weeks later a package arrives with what looks like a new Ledger Nano X. He sets it up, types his existing 24 words "to migrate funds" (per the included instructions). The new device works fine. Three days later, his entire portfolio is gone.

The physical-mail layer of attack

The 2020 Ledger customer database leak exposed 270,000 mailing addresses. Five years later, scammers are still mining that list. Sending a physical package costs $5–10 per attempt, and the production cost of a fake hardware wallet is around $15. For a 1% conversion rate on a list of 270,000, the math is brutal: 2,700 victims at an average loss of $20,000 = $54 million in expected take from a $10M operation.

The four rules

  • Hardware wallet manufacturers never mail replacement devices unsolicited. Ledger does not. Trezor does not. Coldcard does not. If a device arrives that you did not order, it is a scam regardless of how authentic the packaging looks.
  • The 2020 leak is now five-plus years old. No legitimate "remediation program" runs five years after the original incident. Ledger's actual response — at the time and since — has been email apologies and security improvements, never physical device replacements.
  • Real device migration does not require typing the seed into the new device's screen. A real migration involves: type the seed into the new device (on the device, not the computer), then move funds via Ledger Live to addresses derived from the new device. The migration only makes sense if you have a reason to suspect the old seed is compromised — and the answer to a compromised seed is a new seed, not a transcribed one.
  • Verify any "official communication" through the manufacturer's website. Open ledger.com/recall or ledger.com/security and look for the program. If it is not there, the letter is fake.

If you used the fake device

The seed phrase you typed is permanently compromised. Generate a new seed on a verified-fresh hardware wallet (purchased from the manufacturer). Move every asset to addresses from the new seed within the hour. Do not use the fake device for anything — discard it.