One of our user got recently scammed on an online merchant site. The user bought a second hand Ledger Nano S which had already been initialized by the individual seller and ended up losing his coins.
When a user receives its Ledger wallet, whether it is a Nano S or Blue, she/he must always initialize first it by following this process:
- Powering on the device
- Generating a pin code by himself/herself
IMPORTANT: no pin code should ever be given to the user by anybody else prior to the initialization
- Reading the 24 words (also called seed words) generated by the device which are showing up on the screen and writing them down one after the other on the recovery sheet
IMPORTANT: this recovery sheet with the 24 words need to be kept private and secure at all time. If the user were to lose it, she/he would lose access to her/his coins.
Once the device has been initialized, the user can then configure it by going to www.ledgerwallet.com/start and choosing the applications she/he would like to use.
We would like to insist on the fact that the documentation of the Ledger wallets does not include any pre-existing seed words or pin code. If a user were to receive a device with seed words or a pin code, the user should not use the device as it is, as it means that the device may have already been used by somebody else. Under these circumstances, the user should first reset the device with new seed words by following this process.
So what happened and how could a user got scammed?
Basically, the individual seller on the online merchant site sold a second hand Ledger Nano S which had already been initialized, and provided the buyer with the device, as well as with the 24 seed words. So the coins managed via the device were accessible not only by the user who bought the device but also by whoever had initialized this device and possessed a copy of the 24 words. This scam unfortunately resulted in significant financial consequences for the user.
As soon as we heard about this story, we promptly posted warnings on our website in order to alert our user base. We also contacted the user who was scammed to provide him with legal advice on how to file a complaint with local authorities in his country. Finally, Ledger is currently considering all legal venues at our disposal to prosecute the scammer to the full extent of the law.
If you were to buy a Ledger wallet and you find out that it has already been initialized, please contact us immediately through our customer support with the reseller information so that we can decide of the opportunity to initiate further legal action.
The individual seller was not an official Ledger reseller, nor was he affiliated to Ledger. Ledger cannot be held responsible for the misuse of a device which has been bought already initialized. The Ledger Nano S remains a secure way to manage cryptocurrencies and has by no mean been hacked.