Cybercriminals have initiated a focused phishing campaign by exploiting a fabricated merger between the cryptocurrency hardware wallet manufacturers Ledger and Trezor. This follows a recent data leak from Ledger’s third-party e-commerce partner, Global-e.

Details of the Phishing Scam

On January 5, Ledger informed its customers via email of a data breach at Global-e that compromised customer details, including names, email addresses, phone numbers, and order specifics. Shortly after this announcement, affected users reported receiving phishing emails that falsely asserted the merger of the two companies. Screenshots of these deceptive communications have circulated on X.

“We are pleased to announce that after months of strategic discussions, Ledger and Trezor have finalized a merger agreement. This landmark partnership unites two industry leaders with a shared vision of providing the highest standard of security for digital asset management.”
“We are pleased to announce that after months of strategic discussions, Ledger and Trezor have finalized a merger agreement. This landmark partnership unites two industry leaders with a shared vision of providing the highest standard of security for digital asset management.”

The email further claimed that this union would help the two firms accelerate innovation and broaden their product offerings while maintaining their commitment to asset protection. Recipients were tricked into “migrating” their wallets by submitting their 24-word recovery phrases on a counterfeit website that mimicked official branding.

In response to this attack, Global-e has begun an internal probe of the incident and is collaborating with cybersecurity specialists to evaluate its breadth. The company has not provided specifics on the number of users affected but has confirmed that the breach was confined to contact and order information.

Ledger has reportedly alerted relevant data protection agencies and is cooperating with law enforcement.

A History of Data Breaches

This incident is not Ledger’s first encounter with such issues. In 2020, hackers accessed its e-commerce and marketing databases, compromising personal information for hundreds of thousands of users.

The disclosed information included email addresses, names, phone numbers, and physical addresses, with users later reporting receiving phishing attempts and threats. During that time, Ledger faced public backlash for its slow response and insufficient protective measures, ultimately leading to a formal lawsuit against it and Shopify.

The company later confirmed that a rogue employee from Shopify had leaked information belonging to around 20,000 customers. This was followed by another attack that year, in which data of approximately 292,000 customers was exposed online.

More recently, Ledger suffered another security breach resulting in the theft of around $600,000 in cryptocurrency after a wallet drainer was inserted into a library utilized by numerous decentralized applications to connect to their devices.