Why Ledger users specifically

The original breach happened in July 2020. A misconfigured Shopify CDN endpoint exposed Ledger's customer e-commerce database, and attackers pulled down roughly 270,000 full customer records plus about 1 million email addresses. The leaked fields were not just emails. They included first and last names, postal addresses, and phone numbers. Six months later, the full dataset was dumped publicly on a hacking forum, which means any scammer with basic Google skills has had free access to it since 2020.

That leak created a permanent target list. Every person in that file is known to own a hardware wallet. Known to have spent 80 to 400 dollars on one. Known to therefore almost certainly hold some amount of cryptocurrency. From a phishing economics standpoint, this is the single highest quality target list in the industry. Random spray-and-pray phishing gets response rates near zero. Phishing a list where every person owns crypto gets response rates that actually work.

Chainalysis and community trackers have estimated cumulative losses from Ledger-themed phishing at north of 200 million dollars since 2020, with individual incidents ranging from a few thousand dollars to single wallets drained for over 2 million. The campaigns rotate templates every few months but the target list never changes. If you were on it in 2020, you are still on it in 2026.

The current 2026 email template

The 2026 wave of fake Ledger emails looks cleaner than the 2021 and 2022 batches. The English is better, the HTML rendering is pixel-matched to Ledger's real templates, and the urgency framing has shifted away from "data breach notice" toward "routine firmware verification". Here is the redacted shape of a typical one currently in circulation:

Redacted example (do not replicate):
  • From: Ledger Support <support@ledger-verify[.]com>
  • Subject: Action required: Verify your Ledger device before April 30
  • Body opening: "As part of our April security audit, all Ledger Nano S Plus and Nano X devices must complete a one-time firmware verification. Devices not verified by April 30 will lose access to Ledger Live."
  • Body middle: "A recent security vulnerability (CVE-2026-XXXX) requires us to re-sync your recovery information. This takes under 2 minutes."
  • CTA button: "Verify my device" linking to ledger-live-update[.]com or ledger-start[.]io
  • Footer: Real Ledger address in Paris, real-looking unsubscribe link, real-looking support number.

The professionalism is the trap. Everything visual is correct. The logos, the typography, the copyright footer, even the CAN-SPAM unsubscribe link. The only things wrong are the sender domain and the destination URL, and both of those are engineered to look like they belong at a quick glance. Someone checking email on a phone at 7am has almost no chance of spotting the difference without a browser-side warning.

The 4 red flags in every fake Ledger email

No matter how the template evolves, these four signals appear in every single fake. If you see any one of them, the email is phishing, full stop.

  1. Sender domain is anything other than @ledger.com or @ledger.fr. Legitimate Ledger email always comes from one of those two domains. Not ledger-support.com, not ledger-verify.com, not support.ledger.io, not noreply@ledger-security.net. If the domain has any suffix, prefix, hyphen, or alternative TLD attached to the word "ledger", it is not Ledger.
  2. Urgency around "device verification" or "firmware update via email". Ledger firmware updates happen inside the Ledger Live desktop or mobile app, on your own schedule, with zero email involvement. Ledger does not email you a deadline to update. Any message that says "verify before [date] or lose access" is manufactured urgency designed to bypass your judgment.
  3. Link destination is anything other than ledger.com or shop.ledger.com. Hover over the button before you click. Look at the actual URL in the status bar. If it is not ledger.com or shop.ledger.com, close the email. Common doppelgangers include ledger-live-update, ledgerhq-verify, ledger-start, ledger-com-auth, and dozens of variants that swap letters or add dashes.
  4. The flow eventually asks you to "verify" or "enter" your 24-word recovery phrase. This is the kill shot. The whole point of the email is to funnel you to a page that asks for your seed phrase. No matter how sophisticated the landing page looks, once it asks for 12 or 24 words, you are being robbed.

The fake "Ledger Live Update" page that steals your seed

If you click the link, you land on a near-perfect clone of Ledger Live's onboarding screen. The branding is exact. The animated device illustration is the real one, pulled from Ledger's own CDN. The URL bar shows ledger-live-update.com or similar, which to a tired user reads as "oh, this is the update page".

The page walks you through two or three steps of fake "verification". It might ask you to plug in your device (to build trust). It might show a fake loading spinner with "Checking firmware signature...". Then comes the real payload: a screen that says your device needs to "re-sync" with Ledger Live and asks you to enter your 24 recovery words to continue.

The real Ledger Live application never asks for your recovery phrase. Not during setup, not during updates, not during transactions, not during anything. Recovery phrases are entered on the physical device itself during initial setup, and once. That is the only time those words should ever be typed anywhere.

The moment you enter your 24 words into that fake page, a drainer script on the attacker's server derives every wallet address from your seed and sweeps them in parallel. Bitcoin, Ethereum, Solana, Polygon, Arbitrum, Base, every chain your seed controls. The drain usually completes within 30 to 90 seconds. If you realize mid-entry and stop, assume the partial seed is already in their hands because the page streams each word as you type it.

Why Ledger will NEVER email you asking for your seed

This is the single rule that kills every Ledger phishing attempt at the source. Ledger the company does not know your recovery phrase and cannot know it. The 24 words are generated by the secure element chip inside your physical device during the first setup. They are displayed once on the device screen. They are never transmitted to Ledger's servers, never backed up to the cloud, never associated with your account, never logged anywhere.

This is the entire security model of a hardware wallet. The seed lives on the chip, operations are signed on the chip, and the outside world, including Ledger itself, never sees the seed. There is no support agent who can ask for it to "help you". There is no automated system that needs it to "verify your device". There is no firmware update that requires it to "re-sync".

If anything, anywhere, ever, asks you to type your recovery phrase into a computer, phone, website, email reply, chat bot, support ticket, or form of any kind, it is an attacker. This rule has zero exceptions.

What to do if you already entered your seed

If you have already typed your 24 words into a webpage, assume the worst and move fast. Every minute matters because drainers are automated and your funds may already be moving.

  1. Assume the device is fully compromised. The seed is out. Your device itself is fine hardware, but the secret it holds is no longer secret. Do not send any new funds to any address derived from that seed.
  2. Immediately move all funds to a new wallet with a fresh seed. Use a different, known-clean device, or set up a new Ledger with a brand new 24 words. Race the drainer. Send everything out of the compromised addresses to the new ones. Start with the highest-value chain first.
  3. Factory reset the compromised device and generate a completely new seed. Once funds are moved, wipe the old device via Settings and go through fresh setup. The new seed must never have touched the internet.
  4. If funds are already drained, follow our seed phrase stolen rescue guide. It covers Etherscan tracing, reporting to Chainalysis, exchange freeze requests, and what realistic recovery odds look like.
  5. Check every chain, not just Ethereum. Scammers drain everywhere. Look at Bitcoin, Ethereum, Solana, Polygon, Arbitrum, Optimism, Base, BNB Chain, Avalanche, Cosmos, and any Layer 2 you have ever used. A wallet that looks empty on Etherscan may still have meaningful funds on a chain you forgot about.

Protecting yourself from Ledger-targeted phishing going forward

Because your email is on the leaked list permanently, the phishing will not stop. Your defense strategy has to be behavioral, not reactive.

  • Only install Ledger Live from ledger.com directly. Never from a search engine result, never from an ad, never from a link in an email. Search ads for "ledger live download" are routinely purchased by scammers and the top result is sometimes a fake.
  • Bookmark ledger.com/start and use the bookmark every single time. Muscle memory beats vigilance.
  • Turn off automatic image loading in your email client. Phishing emails use tracking pixels to know which addresses on the leaked list are active.
  • Use an email alias dedicated to crypto services. Apple Hide My Email, Firefox Relay, SimpleLogin, Addy.io all work. Never expose your primary email to exchanges, wallets, or on-chain services.
  • For every Ledger email: verify sender, do not click, open ledger.com manually. If the claim in the email is real, you will find the same notice in your Ledger Live app or on the official blog.
  • Install a browser-level phishing shield. SafeBrowz checks every page you visit against 420+ known-impersonated brands including Ledger, plus AI content analysis in 100+ languages that catches new fake Ledger Live variants before they show up on static blocklists. We also publish a ClickFix protection guide covering the fake-CAPTCHA variant of the same attack.

The 2020 database leak: what to do if your email was on it

If you bought a Ledger device before July 2020, your data is almost certainly in the public dump. Treat this as a permanent condition, not something you can remediate.

  • Check haveibeenpwned.com. The Ledger breach is indexed there. Enter the email you used at Ledger checkout to confirm.
  • Consider migrating to a new email alias for all crypto services. The old address is burned. Even if you clean your inbox today, the phishing will continue forever because your address is in a file that has been copied thousands of times.
  • Expect phishing attempts indefinitely. There is no "mark as spam" volume that will eventually stop the flood. Different scammers rent the list from each other. Set up filters that quarantine any message containing "Ledger" to a folder you review manually.
  • Treat every Ledger-branded email as hostile by default. Even if it looks real. Even if the sender looks right. Even if the timing matches something you were expecting. The safe response to any Ledger email is always: close email, open browser, type ledger.com, check from there.

For a broader framework on spotting fake websites across any brand, not just Ledger, see our guide on how to tell if a website is a scam.