⚠ NEVER buy a Ledger hardware wallet from a 3rd party source like Ebay or Amazon or anywhere else

Hi,
Although the date for Daedalus integration with the Ledger Nano S is not yet known, release is imminent, possibly in few months. Be aware of scams involving the Ledger Nano. My suggestion is only buy a Ledger from the manufacturer.

NEVER buy a Ledger from any 3rd party source. The 3rd party (man in the middle attack?) may set up the Ledger and record the seed. Then when you buy it, if the Ledger is not reset, they will steal all your funds. Even if the Ledger is reset, there are clever scammers out there. This article below is only 1 example. Thank you Phong T for the link.

Ledger scam steals peoples money

@Bullish, I think we need this post highlighted. This is utmost importance.

UPD: Rick, I have added to the title, hope it’s not a problem =)

Thank you Ruslan! You always have good ideas. I did not know a post could be annotated as such.

Thank you for the really important post!

Get a room you two! Jk… great post!

Thank you very much for this info!!

My understanding also has the possibility of piggybacking a chip on it. Nano even recommended ppl look inside. This was a year or so ago.

From Ledger nano S:

“Reminder: our hardware wallets are always delivered empty without any seed. Never use a pre-seeded device. If you do receive a scratch card with 24 words, please contact us! Wiping the device and upgrading the firmware makes then the Nano S perfectly safe to use.”

Even buying a device directly from the manufacturer, somebody could still intercept and tamper with the package. Therefore, I’d wipe the device and regenerate the seed no matter who I purchased it from. I believe, but would be interested in a definitive answer, that the Ledger Nano hardware is tamper proof, so that the hardware itself cannot be attacked.

I agree nobody should buy a used hardware wallet but see no problem buying a new one via Amazon. They do not come pre-seeded. The seed is generated by the owner. The infamous scam involved a used one purchased on Ebay. The thief generated a seed and included a scratch off card with the device. The purchaser used the same seed provided by the thief and lost his savings.
The man in the middle attack uses javascript on the computer and can happen no matter where or how you purchase a Nano. As long as you verify the receiving address on the device then you are OK.
I prefer Trezor but oh well.

That’s inaccurate advice:

• You could pick up a Ledger found on the street and use it safely, after you have verified that it’s genuine, using Ledger’s official guide. Edit: Buying from official retailers reduces chance of tampering and is recommended by Ledger, so it’s best to do that: https://www.ledger.com/pages/retailers
• You could order one from the official store, then have it replaced during delivery and receive a compromised device, e.g. the attacker can pre-configure a secret key and thus be able to spend the funds on it using a different device.
• In conclusion, it’s not where you buy it from, it’s that you should verify the device before using it, using the guide linked above.

Hi @hayamoto_jr
Are you certain of your statements above? Do you have proof? Are you willing to put your life savings (literally or not) on the line with a 3rd party handled device? Because that is what you would be doing or stating others may do safely. The reason I ask is because Ledger (and others) have said ‘Our devices are hack proof’ only to find out later that their devices can be hacked. Example. If a 15 year old can hack a Ledger imagine what the pro bad guys can do. I likely read the same articles you may have read that say a 3rd party Ledger is safe, but I don’t want to find out the hard way.

Granted the Ledger is very difficult to hack, but still it got hacked beyond the imagination of the manufacturer. Every time I use my Ledger Nano I have to place trust and assume that Ledger did their due diligence and I do not want to add another agent in the loop personally. I am OK with trusting Ledger because they provide some guarantees and limited loss recovery if their products fail.

Let me give you another example. Lets say I am walking down the street and I find a used condom laying on the sidewalk. So I pick it up, take it home, and run it through the dishwasher to sanitize it. Then I fill the condom with a liter of milk to make sure it has no leaks. If all goes well then I can then go ahead and re-use said third party condom with no worries. But is it really a good idea to do that?

Plus, your advice is missing a step. If someone were to find a Ledger on the street they would have to:

1. Run the device reset procedure FIRST. This as an absolute must. Otherwise a third party still has the word seeds.
2. Then run the “verified that it’s genuine” procedure you posted Ledger’s official guide

So your comments are fair enough, be careful if you comment on security that you avoid security holes, and thank you for the inputs.

You’re right, I would also buy a device from the official stores only, to reduce chance of sophisticated attacks, which is what the guide recommends too. Even so, all scamming to date could have been avoided if people simply followed the guide.

The guide mentions that you should initialize the device yourself.

Yes, you are correct and good thing to point that out. The official guide does appear to cover all aspects of security.

Your condom analogy is really bad and a bit sensationalist. A dishwasher might not kill a myriad of STD’s.

Haha, this sentence makes the analogy pretty funny. Thanks.

Oh and update on this post. I ordered a second Ledger in July and they now send the Ledger by certified mail, in a sealed package, requiring signature to receive. So Ledger learned their lesson; never tempt or tease a hacker on broadcast media.

Which official retailer did you order it from?

The Ledger web page https://www.ledger.com/products/ledger-nano-s

I would like to get one of those tablets too, but I am waiting for them to come out with a mobile app so I can use it on my iPad.