Hardware wallet manufacturer Ledger has been targeted by a series of massive data breaches — and the personal information of thousands of customers is now doing the rounds online.
But last week, it emerged that some of the victims have received frightening messages from extortionists featuring their full name and email address.
Saleh Ahmed was one of those affected, and an attacker going by the name of Denni Hornig threatened that he was prepared to share all this information with neighborhood thieves.
A screenshot of the email uploaded on Twitter read: “If I eventually do this, are you able to imagine all the possible consequences that can occur to you and your loved ones?”
“Hornig” demanded 0.3 BTC or 10 ETH (worth $10,871 or $12,350 respectively at the time of writing) — and said Ahmed will be left alone permanently if he pays up. But the email concluded by warning:
“If for any reason you fail to meet my demand within the next 24 hours, I will certainly move forward with my plan and whatever happens next will be on you. I hope you do not ruin every little thing for yourself by making the wrong choice.”
Crypthomie, a Redditor whose father also received a similar email, wrote:
“Don't be fooled people, no one will come to your home to kill you, but this feeling of insecurity is a scandal and Ledger has to do something about it.”
Understandably, many people would panic after receiving such a message — and some would be tempted to reply. But according to official advice from the U.K. National Cyber Security Center, this is a very bad idea.
Here are five things that the NSCS recommend:
1. Don’t communicate with the criminal. You are advised not to engage or respond to the email, as this could make the fraudster realize that they have found a willing victim. In many cases, these emails are sent to hundreds, if not thousands, of people in the hope of a reply.
2. Don’t pay the ransom. Unfortunately, paying up means that the problem is unlikely to go away, as they’ll simply target you for even more scams in the future.
3. Check If your accounts have been compromised. Websites such as www.haveibeenpwned.com can tell you if your personal information has been exposed through data breaches in the past.
4. Change your passwords regularly. Even if you haven’t been affected by a breach, it’s a good idea to get into the habit of changing passwords frequently — and using different passwords for every site you use. Yes, it’s a pain, but it helps in the long run.
5. Contact your local cybercrime authority. Forwarding emails to these teams can allow them to investigate further, and you should definitely get in touch if you’ve already paid the ransom.
Ledger has said that it is making sweeping changes to its security measures following the data theft, and has introduced a bounty fund of 10 BTC for information that will lead to the arrest and prosecution of those responsible for these menacing emails. It has also enlisted the help of Chainalysis as it attempts to track down the wallets used by the scammers.
Their main message is this: whatever you do, don’t share your 24-word recovery phrase with anybody — even if they claim to be from Ledger itself.
Subscribe To Our Newsletter!
Sign up to the free CoinMarketCap newsletter for top stories, analysis and market activity — delivered to your inbox every weekday.