In the Ledger sub tonight, a user posted a question to ask about how hardware wallets can get attacked.
This was my reply, which has been shadowbanned by Ledger:
“I understand the ledger holds the private key on the secure chip”
Sadly, that's not true anymore. Ledger wrote API code to extract keys from the device and send them over the internet to Ledger and their partner companies for their Ledger Recover service. In theory, that only happens if you subscribe, but since Ledger's code isn't open, there's no way for any of us to prove what it does or doesn't do.
Don't trust. Verify. Right? Well, you can't verify Ledger's code, so you have to decide whether or not you trust them.
Any hardware wallet can possibly get rogue firmware to extract keys, but Ledger actually put key extraction in their own firmware. I can't trust that.
“You now have an API in your firmware to extract seeds”
https://youtu.be/M3VjQUcyZSY?t=1243
HERE'S A LINK to the user's question. Notice my reply isn't there. Here is a direct link to my reply, which I assume you can see.
The user is asking about how Ledger wallets can be attacked. The fact that his wallet now features key extraction code seems important, especially since he's specifically asking about safety and hacks, but Ledger is shadowbanning anyone who tries to give him that information.
If anybody is working on a class action lawsuit against Ledger, I hope you're keeping track of what they're doing.
This is what Ledger told customers:
“Private data, such as your private keys will be protected and never leave the device due to the combination of BOLOS and the Secure Element.”
https://www.ledger.com/academy/security/our-custom-operating-system-bolos/
Then Ledger wrote firmware to extract keys from our devices and send them over the internet to Ledger and their “partner companies.”
That's fraud.
Ledger can't even promise those companies won't share your seed:
“These companies are not slaves to Ledger. We just have commercial agreement.”
— Ledger CEO Pascal Gauthier
https://youtu.be/M3VjQUcyZSY?t=2393
But if you mention any of this on Ledger's sub, you'll be shadowbanned.
I'll give Ledger's CEO the last word here:
“If, for you, your privacy is of the utmost importance, please do not use our product, for sure.”
No more ledger for me.
So basically they are pushing their firmware update no matter what and when people are complaining about it they ban them?
Wow that is like a sure way to a bankruptcy.
From crypto advocate to tyrants real quick lmao
Their image doesn’t get better, what a poor way of public communication they have, it’s really a shame.
Ledger killed their own product by this one silly action.
when i click on your reply link it shows the post, shows single comment thread, and shows “wow, such empty”
Ledger went from the most trusted hardware wallet to the most feared.
What a disaster of a company.. The arrogance is real.
I’m spreading my crypto over multiple wallets now, I used to trust ledger with almost all of my portfolio, which was a mistake.
Some replied to my comment and when I clicked the notification poof nothing.
They are very pretty active on this. Putting their efforts in the wrong direction.
They just hurt themselves more and more the more we go. Nothing they are doing in the ledger sub is helping them.
“Fraud” is a bit of a stretch here. Just don’t use their products. What exactly would justify a lawsuit?
Ledger lol R.I.P 💀
They sure are trying their hardest to bankrupt the company.
Why would they try to hide something if they are legit?
So, I’ve turned my head once, and now Ledger is the bad guy? Is it really that bad, or just mildly concerning?
What are my other options, Trezor is what I see mentioned. Isn’t it just as bad?
And i got one shortly before this disaster.
Guess I threw away money.
Fuck Ledger!
I hope they burn.
Ledger is continuously gaslighting their users.
If you bought it recently, file a chargeback under false advertising. Worked for some people!
First they got hacked and exposed around 500.000 buyers information details and now this!
Thanks for your informative accurate account of where any ledger owner stands as far as safety and security, no one should be able to shadowban you though mate you speaketh the truth 👊🏼
Crypto has become a joke this last year and a half…
I’m still with them, but will likely move away now, purley because of the shady shit like this. Short term I don’t think they are a risk, but longer term, they could screw their users as the tech evolves.
From what ive seen they have very little loyalty to existing customers and lack integrity or values, which has clearly filtered down from the CEO. He should be ousted from ledger.
Waiting for my keystone to arrive
Still the same question: how could the CEO have allowed such a mistake to be made, one that wiped out the reputation Ledger had built up over the years?
They’ve been pretty tolerant with all the rants the next few weeks after the drama started. But there has been a lot of abuse from a few Karens that were spamming their sub.
Your post history is totally empty, so i wouldn’t be surprised if you’re currently using an alt account to continue your war against Ledger
Man, Ledger are really shite at open and honest communication with their user base
muzzling free speech. way to go ledger. why limit yourself to a single fiasco, start a cluster.
How tf does someone give this statement and still is CEO?
That’s a fucking PR shitshow
Glad I went with Trezor over Ledger.
I was days away from ordering one of these. I will stick with the password protected txt on a usb
I can see your comment.
Deploying more hardware wallets, steady lads
Was amazing how fast this product fell out of good graces.
At least the type of people who got to the using Ledger step, should be informed enough to know and able to get their crypto off that device.
The fact that it’s just an API to extract seeds, it makes Ledger a very easy target.
“If, for you, your privacy is of the utmost
importance, please do not use our product, for
sure.”
Can someone please explain why he said this? I don’t understand why he would make such a ridiculous statement. I have a ledger Nano X.
I was going to buy the new ledger Stax, luckily I missed it out!
Op, your reply is the top reply to that question. I’m not sure what you’re talking about.
Man their downfall happened fast.
Disaster. What a joke. I hope people understand this and dump their ledgers
Yep anyone who tries to have a discussion about their new key recovery software is completely shadowbanned.
Is this not the biggest red flag.
I’m moving away from Ledger and have chosen Keystone over Trezor. Airgapped, open source. All it does is read / present qr codes (of signed transactions). So you don’t even risk a potential malicious firmware update to steal your keys in the future.
It’s not just Ledger mods, but there’s a good chunk of ledger fans or fake people who are defending this move by ledger and calling anyone who talk about the key extraction “ignorant” or “overreacting”. These idiots will shoot themselves in the foot and only then realize they are fucked over by the black box ledger code.
I moved the last of my assets off Ledger yesterday, it wasn’t much just a few Reddit avatars, but still I didn’t feel comfortable using them any more.
It’s quite sad because I’ve been a customer since 2017 and own two devices at the moment.
Anyone who picked Ledger over Trezor deserves all this tomfoolery honestly.
At what point did ledger start uploading keys to the cloud? Was it a certain software update to the device that enabled this functionality? Was it a ledger live update?
What people seem to not get: hardware wallets will never be trustless.
Irrespective of how much open source their code is.
Hardware production is not and will not be trustless any time soon, at least as long as you cant build it and all its components at home – basically not going to happen ever.
Yawn
Wen class action lawsuit?
Data extraction and monetization is a thing, i think from age of Windows 98.