§ บทความ · กลาง

Ledger 2026 breach — what it means for your coins

The Ledger leak weaponised: $9.5M lost in fake-app scams, paper phishing using real addresses, and what self-custodians should actually do about it.

โดย dont-trust-verify · เผยแพร่ 4 พฤษภาคม 2569

🇺🇸 EN content เปิดหน้าภาษาอังกฤษ →

The Ledger breach is the data leak that won’t stop hurting people.

The original 2020 incident exposed roughly 270,000 customer records — names, physical addresses, phone numbers, email addresses — from Ledger’s e-commerce database. Six years later that database is still being sold, recombined, and weaponised. In January 2026 another tranche surfaced on a clearnet leak forum. By April 2026 a coordinated fake-app campaign on the Apple App Store — where the attackers ran what looked like a “Ledger Live 2.0” with a real-looking developer profile — drained an estimated $9.5 million from people who genuinely believed they were updating their official wallet.

I want to be clear about two things before going further:

  1. This is not a “your seed is compromised” event. The leaked database does not contain seed phrases, public keys, balances, or signatures. Your Bitcoin is not at protocol-level risk because of this leak.
  2. This is a “your physical safety and your credulity are now under attack” event. Attackers know your name. They know where you live. They know your email and phone number. They know you own a hardware wallet. Everything they do with that information is targeted social engineering — and that is what drains coins.

This guide is for people who own a Ledger, used to own one, or just want to understand what’s happening so they can recognise the playbook when it hits a friend.

TL;DR. If you ordered a Ledger between 2017 and 2020 and used your real shipping address and email — your data is in the leak. Treat any unsolicited email, SMS, paper letter, or app-store update claiming to be from Ledger or about your Ledger as adversarial until proven otherwise. Do not enter your seed into anything, ever, for any reason. Verify firmware updates only from the Ledger Live app you already have installed, not from any link.

What actually got out, and why it keeps mattering

The 2020 breach hit Ledger’s Shopify-backed e-commerce stack. The data lost included:

What did NOT get out:

So the worst-case the protocol cares about — “did anyone steal a private key?” — is no.

The worst case the attacker economy cares about — “do we have a list of 270,000 people who definitely own crypto, with their home addresses?” — is a permanent, compounding nightmare. That list has been resold and recombined against newer leaks (LinkedIn, Twitter, telecom breaches) for the better part of a decade now. It’s the most weaponised retail crypto leak in history.

The post-2020 attack timeline

Year by year, this is what attackers have done with the Ledger list. I’m including this because the pattern of attack is more useful to know than any one incident.

2020 — phishing emails at scale. Direct ask for the 24-word seed via fake “wallet sync required” / “your Ledger has been compromised, please re-validate” emails. Crude but effective on people who don’t yet know that Ledger never asks for the seed.

2021 — phishing SMS + fake support hotlines. Attackers spoof Ledger support phone numbers; victims who Google “Ledger support phone” land on attacker-bought ads. Same end game: the seed.

2022 — physical mail phishing. This is where it gets nasty. Attackers send victims a real paper letter with Ledger branding, a real-looking returns address, sometimes a fake “replacement device” in the box, with instructions to enter their seed into a tampered device or website. Victims who survived two years of email phishing trust paper because paper feels official. People lost six-figure amounts to this.

2023 — fake Ledger Live downloads via SEO + ads. Attackers buy Google ads on “ledger live download” and rank fake clones in the top three results. The clones are visually pixel-identical and ask for the seed during “first-time setup.”

2024 — Ledger Recover backlash + opportunistic phishing. When Ledger announced its optional, opt-in seed-backup service in mid-2023, attackers seized the FUD and sent emails saying “opt out before X date or your seed will be uploaded automatically.” Pure social engineering riding the wave of legitimate community concern.

2026 (this is the new one) — fake Ledger Live in the Apple App Store. Attackers got a fake Ledger Live clone published under a developer name like “Ledger SAS Mobile” with a polished icon and screenshots. It cleared App Store review (this is not the first time crypto malware has slipped through Apple’s screening, and it won’t be the last). For roughly six weeks the app was live, ranked, and being promoted via the leaked email + SMS lists. Anyone who downloaded it and went through “first-time setup” — entering their 24 words “to import their existing wallet” — had their funds drained within hours.

The reported total for the App Store campaign is $9.5 million, but the real number is almost certainly higher. People who lose seven figures in self-custody often don’t go public.

The lesson, again: the leaked database is not the breach. The breach is knowing who’s vulnerable — and a tampered piece of hardware, paper, app, or DM landing in front of them.

What you should actually do, in order

1. Decide whether you trust your physical security

If your real name and home address are tied to a known crypto holding, you are now operating under a higher physical-security bar than the average self-custodian. That doesn’t mean you have to move — most attacks via this list are remote phishing — but it does mean:

This is the part of self-custody nobody likes to talk about. Privacy is a security property, not a vibe.

2. Audit your seed-handling habits, not your device

The Ledger device itself is not compromised by this leak. The danger is what you do when an attacker contacts you. Therefore the audit you actually need is:

The most expensive lesson in self-custody is realising that “I never told anyone my seed” and “I never put my seed online” are not the same statement.

3. Know what Ledger / Trezor / Coinkite actually do and don’t do

Memorise this and stop reading any communication that violates it:

4. Have a “weird email” rule

Every Ledger-list victim I’ve talked to says some version of the same sentence: “I knew it might be phishing, but the timing was suspicious so I clicked just to check.”

Your rule, regardless of how plausible the message looks:

Anything claiming to be from Ledger / Trezor / Coinkite that arrives in my inbox / SMS / mailbox / DM is fake by default. If something legitimately needs my attention, it’ll be visible inside the wallet-management app I already have open.

That’s the entire policy. Stop reading the email. Stop clicking the link. Stop opening the box. The inbox is the attack surface.

5. Use the right tools to verify the things you DO need to check

Sometimes you actually do need to verify something — an address you’re sending to, a transaction you signed, the validity of a seed phrase backup you wrote down. Do those checks on tools you trust:

These are tools that should never ask you for anything sensitive that they don’t need. If a tool asks for your seed in order to check an address, it’s a honeypot. Close it.

Should I migrate to a different vendor?

This is the question I get most. My honest answer:

No, the Ledger device itself is fine. The 2020 e-commerce breach was a Shopify integration mistake by Ledger’s marketing stack — it wasn’t a vulnerability in the device, the secure element, or the firmware. The device’s job is to keep your private keys away from the network, and it does that well. Trezor, Coldcard, Foundation Passport, BitBox02 are all good devices too, with different trade-offs (see our hardware wallet reviews for honest first-person notes on each).

Yes, you should migrate the seed if you’ve ever entered it into anything. A fresh seed on any reputable air-gapped device is the right move. The Ledger Mk1 / Mk2 / Mk3 will continue to work fine; you just want a new seed it has never been told.

If you’re new to the space and just deciding which vendor to start with, I’d choose Coldcard Mk4 for its air-gapped operation and Bitcoin-only design — but a Ledger Nano S+ used correctly is still better than leaving coins on an exchange.

The harder lesson behind all of this

The Ledger breach happened in 2020. We’re talking about it in 2026 because retail self-custody has a privacy problem the protocol can’t fix.

Bitcoin can secure your private keys against any computational attacker. It cannot secure your identity against a vendor whose marketing department uses Shopify. The asymmetry is real, and every self-custodian eventually has to decide what level of doxxing they’re comfortable with for the convenience of ordering hardware to their home address with their real name.

The privacy choices people make at the purchase step are the choices that determine which threats they live with for the rest of their self-custody journey. That’s the unglamorous, unsexy lesson. Buy hardware in person where you can. Buy it shipped to a P.O. box if you can’t. Don’t tie your real name to your stack on social media. Don’t post the box.

It is uncomfortable advice. It is also the advice that, six years on, the people on the Ledger list wish they had taken.

Sources & further reading