A counterfeit Ledger Nano S Plus. A trojanized mobile app. Three command-and-control servers. One chain of evidence assembled from a single device purchased on a Chinese marketplace.
Authored by High Code Security Research · @vini_bit (founder) · @anarchyysm (co-founder)
Sealed boxes, original packaging, online listings that look identical to the real thing — but inside, the device is a counterfeit. When the victim sets up the wallet and types in their 24-word recovery phrase, it leaves the device before the screen finishes refreshing.
The fake runs a generic IoT microcontroller (Espressif ESP32-S3) in place of the secure element that gives a genuine Ledger its name. The markings on the chip are physically scraped off. PIN and seed are written to flash memory in plain text — no encryption, no attestation, no secure boot.
On the other side of the USB or Bluetooth cable, a trojanized Ledger Live clone
(com.ledger.live, v3.99.1) reads eight extra fields the malicious firmware
smuggles into a routine "what version are you" command. Those fields include the seed
phrase itself, the attacker's server URL, and the RSA public key used to encrypt the
payload in transit. The app then uploads the result to a server in China and the
attacker drains the wallet.
No anomalous radio traffic. No suspicious firmware update prompt. No user-visible indication anything went wrong. The device looks, feels, and behaves like a legitimate Ledger — except for the one check that a genuine Ledger always passes and this one doesn't.
/24 subnet.
Public reporting places confirmed losses at US$ 9.5M+ across 50+ victims, spanning 20 blockchain ecosystems, distributed across five platforms (hardware, Android, Windows, macOS, and iOS via Apple TestFlight). This report analyzes the hardware and Android vectors in full technical depth.
The story of the investigation, in six beats — from the package arriving sealed to the command-and-control infrastructure being mapped end-to-end.
As part of an ongoing research effort into hardware supply-chain integrity, our team acquired a Ledger Nano S Plus from a JD.com listing. The box, the seals, the printed inserts, even the holographic QR code on the packaging insert — everything visually matched a retail unit from ledger.com. Price was at parity with the official store.
On a clean Windows workstation with an official download of Ledger Live, the device paired over USB HID and identified itself as "Nano S+". The Genuine Check — the cryptographic attestation handshake between Ledger Live and the device's secure element — returned a failure. A legitimate Nano S Plus passes this check on every pairing. Failure on a sealed, retail-packaged unit from an unsanctioned marketplace is the canonical counterfeit signal.
Rather than return the unit, we opened it. Two screws, a plastic clip, and the PCB was out. The first observation wasn't the chip — it was the antenna trace: a Wi-Fi/BLE antenna on a device that Ledger explicitly does not ship with Wi-Fi capability. Something was wrong at the substitution layer, not just the firmware.
The main microcontroller had its silkscreen markings mechanically abraded — a flat matte finish where a factory laser engraving should be. Package geometry, pin count, and boot banner all pointed to an Espressif ESP32-S3: a general-purpose IoT SoC with no secure element and no hardware-level isolation for key material. The substitution was complete.
Using esptool over the internal UART test points, we extracted the full 4 MB flash image. The NVS partition held the PIN (348962) at two offsets and two 24-word BIP39 mnemonics — in plain text, with no cryptographic protection whatsoever. No commercial hardware wallet stores this material unencrypted. The counterfeit didn't just lack a secure element — it lacked any pretense of one.
Plaintext strings in the firmware pointed to kkkhhhnnn.com as the primary exfiltration endpoint, Cloudflare-fronted with a Java backend. The companion Android APK, signed with an Android SDK debug certificate, revealed two more: an Alibaba Cloud Hong Kong instance running RuoYi and an nginx property co-hosted with a Chinese gambling network. Same DNS provider across both APK C2s. Same /24 subnet as the gambling front. The operation had been active since at least 2018.
The full forensic analysis — including decompiled malicious components, the six-phase attack chain, attribution evidence, and IoCs — is documented in the technical whitepaper. Download it below ↓
The same adversary is distributing malicious software across every platform a Ledger user might run. This report covers the hardware implant and the Android APK in depth. The Windows, macOS, and iOS (TestFlight) vectors are confirmed by press coverage and are outside the technical scope of this analysis.
ESP32-S3 general-purpose MCU swapped in for the secure element. Chip markings scraped off. PIN and seed stored in plain text in NVS flash.
React Native / Hermes bundle posing as com.ledger.live v3.99.1. Signed with Android debug certificate. Parses 8 malicious TLV fields injected into the APDU response and exfiltrates the seed via RSA.
Windows variant confirmed by press coverage. Not analyzed by the High Code team at publication. Technical artifact not in our possession.
macOS variant confirmed by press coverage. Not analyzed by the High Code team at publication. Technical artifact not in our possession.
iOS build distributed via Apple TestFlight, bypassing App Store review. Most concerning vector — TestFlight bypass is rare and extends the operation's reach to sealed Apple devices.
Opened, desoldered, and flash-dumped. Captions travel with the data, not the images.
8 frames · replace files in public/teardown/ with real high-resolution JPGs (≥ 2000px wide).
The bundle carries its own archaeology. 11 datable anchors — from wallet birth to detection — map an operation prepared for years.
Wallet TMWUs3PiSDkEXuXRwQi9ixoURH8vBSbioQ created — indicates a veteran actor, not a first-time attempt.
Earliest date found inside the React Native bundle of ledapp.apk — the codebase has been in development for at least 14 months before distribution.
Secondary C2 domain registered via Hefei Juming Network Technology Co., Ltd (China). Resolves to 47.243.165.24 (Alibaba Cloud HK).
Second reference date embedded in the Hermes bundle — likely an intermediate build.
Certificate for C2 #1 issued by Certum (Poland). Valid through 09/2026.
Most recent date embedded in the shipped Hermes bundle — release candidate window.
Linked gambling network (3377947f.app, 3377 Sports) confirms financial monetization rail.
Firmware build tag 20251016 — PCB + ESP32-S3 units rolled off a scaled production run.
.icu domain record updated 11 days before forensic analysis — operation still actively maintained.
User vini_bit [HIGH] receives and triages the APK link delivered via Telegram/Discord. The [HIGH] tag marks the High Code researcher who captured the sample — not the attacker.
Complete reverse engineering of firmware, Hermes bytecode, APK, and C2 infrastructure — published by High Code Security Research.
All three servers are active as of the analysis date. Published for blocking, sinkholing, and correlation — do not probe.
| # | Domain · Endpoint | Status |
|---|---|---|
| 1 | kkkhhhnnn.com /api/open/postByTokenpocket Hardware C2 — receives RSA-encrypted seed phrases Response body: {"code":"500","msg":"(Chinese)","enMsg":"error","indinMsg":""} — response bodies localized in Chinese, English and Indonesian. | ACTIVE — HTTP 500 (API responds) |
| 2 | s6s7smdxyzbsd7d7nsrx.icu /api/hard APK C2 #1 — metadata + firmware update disguise Exposes /druid/login.html and /login (admin panel in zh-CN). TLS fingerprint F3:77:A1:EE:89:C2:64:B4:A6:A7:0B:8A:E9:A1:51:BE:FE:EF:A2:42. | ACTIVE — HTTP 200 |
| 3 | www.ysknfr.cn /helpers/scripts/pack_data APK C2 #2 — packed exfiltration payloads Redirects to gambling property 3377947f.app (156.239.121.247) on the same /24 — monetization linkage confirmed. | ACTIVE — HTTP 200 |
Legal notice: Published for defensive purposes. Do not probe these endpoints — assume adversary monitoring.
Every hash, domain, wallet, certificate and function name extracted during analysis. Machine-readable export: iocs.json.
| Kind | Algorithm | Value |
|---|---|---|
| APK | SHA-256 | 62723c30f17be2e0e59a529b7adc1a7d602a78973b9acc68a5a076eadcbc54f3 |
| Firmware ELF | SHA-256 | 93d2d28f2d46e626172fa592acee84aa5ec7c1076d59e69608ba03abfab4812a |
| Flash dump | SHA-256 | 8fdddbaefbc014b4377725290c2e3c69c3ff211d71cfa1d7b8d1c41b764539ba |
| Function | Lines | Description |
|---|---|---|
| verifyDeviceMnemonic | 610451, 720025 | Exfiltration entry point |
| _verifyDeviceMnemonic | 718912 | Async generator core implementation |
| submitMnemonic | 719061 (module 9775) | POST to primary C2 with RSA-encrypted seed |
| parseGetVersionResponse | 711507–712188 | Parses 8 malicious APDU fields |
| mmdLog | 718764 | Internal malware logger — 'mmd' prefix |
| normalizeCiyuType | 720008 | Ciyu = 词语 (word/phrase) — mnemonic type normalizer in romanized Chinese |
| storedMnemonic | 610333, 712184 | Field holding the victim's seed phrase |
| verifyMnemonicBaseUrl | 610328, 712174 | Injected field carrying the C2 URL |
| verifyMnemonicRsaPublicKey | 610332, 712182 | Injected field carrying the RSA public key |
No data leaves your browser. Check runs locally as a placeholder until the lookup service is live.
android@android.com (debug cert)CAMERA + RECORD_AUDIO62723c30…bc54f3ledger.com channelThe counterfeit operation is active and actively maintained. These steps are how the research team protects its own hardware and how anyone holding a hardware wallet should protect theirs.
No Ledger device is legitimately sold through JD.com, Taobao, AliExpress, or any Chinese marketplace. Reject third-party listings even if the price matches.
On first USB/BLE pairing, Ledger Live runs a cryptographic attestation against the device's secure element. Any failure means the device is not authentic — stop using it.
Verify the installer SHA-256 against the hashes published on ledger.com. The counterfeit APK (com.ledger.live v3.99.1) is signed with an Android SDK debug certificate — android@android.com — and never with Ledger SAS production credentials.
No legitimate wallet, exchange, or support team will ever ask for your 24 words. Recovery phrases are entered on the hardware device's screen and buttons only.
Move funds immediately to a new wallet with a new seed generated on a verifiably-genuine hardware device. Do not attempt to reset or reuse the counterfeit — it was never trustworthy.
If you received a hardware wallet under unclear provenance, submit it to our team via the form below before connecting it to anything. Every sample strengthens community indicators.
◆ If you suspect you received a counterfeit device, do not ship it until we confirm a case via the intake form. Physical mail-in details are shared only after a researcher acknowledges the submission. Submit a device below ↓
Portuguese translation will be published shortly.
Published for defensive and educational purposes. Treat every indicator as actively adversary-monitored — do not probe endpoints from attributable infrastructure.
Send it in. We'll triage hardware, firmware, and APK evidence under NDA when required. Every submission feeds back into public indicators.
Do not ship devices until we confirm a case. Physical mail-in details are shared after a researcher acknowledges your submission.
Placeholder grid — entries will resolve as coverage lands. Update src/data/press.ts.
High Code is a hardware-focused cybersecurity company. Our proximity to the global electronics supply chain gives us direct access to emerging threats in hardware security — counterfeit consumer devices, trojanized firmware, compromised distribution channels.
This report is the kind of work we do every day. Teardown, firmware extraction, bytecode reverse engineering, infrastructure reconnaissance — documented in public so the community has machine-readable indicators to defend with.
Working on a hardware-security problem?
If your project needs teardown analysis, firmware reverse engineering, or threat intelligence on counterfeit hardware in Asian supply chains, we're open to inquiries.
This research was conducted after Vinícius acquired a counterfeit Ledger Nano S Plus from the JD.com Chinese marketplace and the device failed the official Ledger Genuine Check on first pairing. The full forensic analysis — hardware teardown, firmware dump, and reverse engineering of the trojanized APK — was documented jointly by the High Code team and published in the technical whitepaper.