Rule number one is this: Don't email back.
Hardware wallet manufacturer Ledger has been targeted by a series of massive data breaches — and the personal information of thousands of customers is now doing the rounds online.
But last week, it emerged that some of the victims have received frightening messages from extortionists featuring their full name and email address.
A screenshot of the email uploaded on Twitter read: “If I eventually do this, are you able to imagine all the possible consequences that can occur to you and your loved ones?”
“Hornig” demanded 0.3 BTC or 10 ETH (worth $10,871 or $12,350 respectively at the time of writing) — and said Ahmed will be left alone permanently if he pays up. But the email concluded by warning:
“If for any reason you fail to meet my demand within the next 24 hours, I will certainly move forward with my plan and whatever happens next will be on you. I hope you do not ruin every little thing for yourself by making the wrong choice.”
Crypthomie, a Redditor whose father also received a similar email, wrote:
“Don't be fooled people, no one will come to your home to kill you, but this feeling of insecurity is a scandal and Ledger has to do something about it.”
Understandably, many people would panic after receiving such a message — and some would be tempted to reply. But according to official advice from the U.K. National Cyber Security Center, this is a very bad idea.
Here are five things that the NSCS recommend:
Ledger has said that it is making sweeping changes to its security measures following the data theft, and has introduced a bounty fund of 10 BTC for information that will lead to the arrest and prosecution of those responsible for these menacing emails. It has also enlisted the help of Chainalysis as it attempts to track down the wallets used by the scammers.
Their main message is this: whatever you do, don’t share your 24-word recovery phrase with anybody — even if they claim to be from Ledger itself.