Ledger's Discord Hacked: Phishing Scam Targets Users' Crypto Wallets

Scammers Take Over Moderator Account, Spread Fake Security Warnings

Hold onto your hats, crypto fans! Hardware wallet giant Ledger just wrestled back control of its Discord server after a wild ride. A crafty attacker snagged a moderator's account and went full throttle, blasting out phishing links that tried to trick users into handing over their precious seed phrases.

The chaos kicked off on May 11 when this sly fox hijacked a contracted moderator's account. With the keys to the kingdom, the attacker unleashed a bot that spewed scam links all over one of the channels, luring users to a shady site that looked just like Ledger's legit verification page.

"We jumped on it fast: booted the compromised account, nuked the bot, reported the site, and locked down all the permissions," Ledger's Quintin Boatwright declared in a May 11 Discord post. Talk about a quick draw!

This scammer was slick, posting a fake security alert that screamed about a supposed vulnerability in Ledger's systems. Users were duped into "verifying" their recovery phrases through a link that led straight to a scammer's lair.

The phishing site was a total doppelgänger of Ledger's interface, tricking users into connecting their wallets and spilling their 24-word seed phrases, all under the guise of a critical update. It was a classic move to swipe those crypto assets.

Snap! Screenshots of the scam post hit X faster than a lightning strike, sparking warnings from security gurus and putting Ledger's community management under the microscope. Check this out:

Hey @Ledger, one of your community mods got hacked and they're pulling a fast one on your Discord channel right now!

Some eagle-eyed community members spilled the beans that the attacker was using their mod powers to mute and ban anyone trying to sound the alarm, maybe even slowing down Ledger's response time.

It's still up in the air whether anyone got burned by this phishing scam, but it's just the latest in a string of similar attacks aimed at hardware wallet users.

Remember those fake letters sent out with Ledger's branding, complete with a return address and a made-up reference number? Yeah, those were trying to trick people into scanning a QR code and entering their 24-word recovery phrase, all for a bogus "security update."

Ledger isn't the only one in the crosshairs. Back in March, their security research team, Donjon, blew the whistle on a vulnerability in Trezor's Safe hardware wallets. Turns out, these devices could still be physically hacked thanks to a weak spot in the microcontroller that handles all those fancy cryptographic operations.

Get this: the chip's vulnerable to voltage glitching attacks, where an attacker can mess with the data by messing with the power supply during operations. Sneaky, right?

The crypto world's been buzzing about this exploit, with big names like former Binance CEO Changpeng Zhao chiming in.

Just got this heads-up. Ledger's Discord admin got hacked! The scammer made up a security flaw and tried to trick users into spilling their recovery phrases on a phishing site. Here's the takeaway: Never, ever give up your private key recovery phrases, no matter who's asking!