Phishing campaign targets Ledger users with fake merger announcement
Ledger customers are facing a targeted phishing campaign following a data breach at the company’s e-commerce partner, Global-e. The scam emails claim that Ledger has merged with competitor Trezor, attempting to trick users into revealing their recovery phrases.
According to reports, the phishing emails started circulating shortly after Ledger disclosed the Global-e breach on January 5. The fake communications look professional, complete with branding that mimics official company materials. They tell recipients that the two hardware wallet manufacturers have finalized a merger agreement after months of strategic discussions.
I think what makes this particularly concerning is the timing. The attackers clearly knew when to strike—right after users received legitimate breach notifications from Ledger. That creates a perfect storm of confusion and vulnerability.
How the scam works
The phishing emails contain detailed language about accelerating innovation and expanding product offerings. But the real danger comes in the instructions: users are told to “migrate” their wallets by entering their 24-word recovery phrases on a fake website.
Once someone enters their recovery phrase, the attackers gain complete control over their cryptocurrency holdings. It’s a straightforward but effective attack vector, especially when targeting users who might already be anxious about security after learning about the data breach.
Global-e has reportedly launched an internal investigation and is working with cybersecurity experts. The company hasn’t disclosed exactly how many users were affected, but they’ve confirmed the breach was limited to contact and order information. Ledger has notified data protection authorities and is cooperating with law enforcement.
A recurring security problem
This isn’t Ledger’s first security incident, which perhaps makes the situation more frustrating for users. Back in 2020, attackers accessed Ledger’s e-commerce and marketing databases, exposing personal information of hundreds of thousands of users.
That breach led to phishing emails and threats against affected customers. The company faced criticism for delayed disclosure and inadequate safeguards at the time. A lawsuit was eventually filed against Ledger and their e-commerce platform, Shopify.
Later investigations revealed that a rogue Shopify employee leaked personal details of about 20,000 customers. Then, in a separate incident that same year, data of approximately 292,000 customers was published online.
More recently, Ledger suffered another security incident where about $600,000 in cryptocurrency was stolen. That happened after a wallet drainer was inserted into a library used by multiple decentralized applications to connect to Ledger devices.
The broader implications
What strikes me about this pattern is how third-party vulnerabilities keep creating problems for hardware wallet companies. Even when the core product—the physical device—remains secure, the surrounding infrastructure presents risks.
Users expect hardware wallets to provide maximum security, but these incidents show that the ecosystem around them can be vulnerable. The phishing campaign following the Global-e breach demonstrates how attackers exploit these weak points.
For now, Ledger users should be extra cautious about any emails claiming to be from the company, especially those asking for recovery phrases. Official communications won’t request this information. The company has emphasized this point repeatedly, but perhaps needs to find more effective ways to educate users about these risks.
The situation highlights an ongoing challenge in cryptocurrency security: protecting not just the technology itself, but the entire user experience and supporting infrastructure.
