Ledger Recover Megathread

This megathread is being created to stop the frontpage from being overrun.

Recently Ledger began launching a feature called Recover, which is an optional feature that backs up your cryptographically split seed phrase for a subscription fee. This requires submitting your identity for setup and completing an identification process for recovery.

The community has voiced many concerns about this, including:

  • Ledger has had a major data breach in the past, so their inclusion as 1 of the 3 shares doesn't inspire confidence.
  • Whether this feature is optional or not, it means code has been added that allows transmission of your seed phrase to the internet. Some do not agree that Ledger could be considered a cold wallet anymore.
  • Parts of the Ledger architecture are not open source. This has not changed with Recover, but big changes in closed source software can raise questions and add trust back into a system that was meant to be trustless.
  • The 3 companies could be subject to hackers or government pressure.
  • Identity and information based verification has weakened over time as data breaches continue to occur. Even the KYC systems allegedly meant to protect you can end up leaking your data.
  • This is confusing to people who have been told to never upload their seed to the internet and (depending on UI) “Ledger will never ask for your seed”. Educating and training people on good security practices in a consistent way is critical.

Please keep in mind that this is a developing story and many details are unknown. As more information comes out, we would be happy to add it here.

Official statements:

  • https://www.ledger.com/recover
  • Ledger Recovery FAQ
  • https://twitter.com/ledger/status/1658458714771169282?s=46&t=KA_EbYCZNe4Jy4B4vbHT0w
  • Twitter Spaces AMA

Reddit posts:

  • PSA: Ledger is officially a hot wallet. It can expose your seed phrase to third parties! (Confirmed on their sub)
  • If you have a Ledger Wallet, be aware of the latest Firmware update 2.2.1
  • Seed phrases should never be exposed on the internet, especially hardware wallet seeds
  • WTF Ledger? This is a disaster waiting to happen… The new Ledger Nano X Firmware introduces an option to let them backup your seed.
  • Ledger CTO official statement – “no backdoor, ledger does not have access to your secret recovery phrase”
  • Hey Ledger, I have a great business opportunity for you.
  • Ledger Confirms Their Hardware Wallets Have A Backdoor To Send A User's Seed To Companies, Over The Internet
  • With the Ledger fiasco — how do companies / whales manage cold wallets
  • I never understood why so many like the ledger and with a recently added “features” it only confirms what I knew.

News articles:

  • Ledger Under Fire for ‘Recover’: A New Cloud-Based Seed Phrase Backup Feature
  • https://www.nobsbitcoin.com/ledger-to-launch-kyc-cloud-based-recovery-service/

50 thoughts on “Ledger Recover Megathread”

  1. For a company that says “u should not send ur seed phrase to anyone” to send ur seed phrase to someone is pretty wild

  2. So far the live stream is complete bullshit. The equivalent of the secret key can leave the enclave. This means that malicious firmware can exfiltrate the secret key. This was not meant to be possible. Any other consideration is irrelevant. They lied to us.

  3. The thing is even if this is stopped, this means that there is the physical capabilities to extract the seed.

    Just this alone is a pretty big thing imo. So the cat is really out of the bag

  4. You know things are serious when a megathread gets created.

    Crazy bad publicity for Ledger

  5. CEO on the current AMA:

    >”people are saying this is not what our customers want and it was a mistake but this is what our future customers want. keeping your seed phrase on a piece of paper is a thing of the past and ledger recover is the future”

    They aren’t going to roll this back, they are doubling down and sticking to this misguided decision.

    Trezor here I come

  6. The Twitter call was incredibly patronizing. Apparently we’re all just fucking stupid for not understanding how great this.

    Please join me in asking for a refund, it’s the only way they’re get what they just did to their business.


  7. When you think about it, this news is actually a blessing for us ledger owners. If they never released this news, we would have carried on assuming that the SE chip couldnt release an encrypted seedphrase.

  8. Biggest issues after reading responses and listening to twitter live.

    2/3 shards are in jurisdictions that literally cooperate and will seize your shit if they fell like it.
    There won’t be any court order, it will be confiscated instantly, then you can go to court and pray you get it back.

    They are constantly pushing narrative that “only if you physically push the buttons and you are prompted for consent”
    What if some rouge dev push commit with automated seed extraction or someone hacker find backdoor, then just extract?

    Next they are saying that its for future user and their response to “what if it gets hacked?”
    Response ? “Let’s see”
    What ? Is it your money to risk ?? “let’s see” my ass

  9. I will be shocked if they don’t reverse this with the universal outrage and attention its getting. Either way, RIP brand reputation. Talk about not understanding your customer base.

  10. I guess its time for me to look for my old laptop and make it my own cold wallet, there’s nothing to trust anymore.

  11. This whole thing seems to be going over like a fart in church for Ledger. I agree with the idea that they should have created a whole new device offering this service if that’s what people wanted. Those of us who already have ours do not want this…period. This will end up bad for Ledger

  12. The statements by the CEO on the Twitter livestream were completely ridiculous. They are absolutely not going to either back down from this or release firmware that does not support this ability.

    Good luck selling more devices when all the people that have supported you and bought your products are telling all of their friends and relatives to stay clear.

  13. Remember when last year Canada started to freeze and seize funds from custodial wallets, while people with funds in non-custodial wallets were laughing in their face?

    Custodial: https://www.coindesk.com/business/2022/02/22/canadas-osc-warns-crypto-exchanges-not-to-promote-self-custodial-wallets-report/

    Non custodial: https://financialpost.com/fp-finance/cryptocurrency/bitcoin-wallet-nunchuk-scolds-ontario-court-over-order-to-freeze-crypto-assets

    Well, with the latest update, Leger just became a custodial wallet and governments (and potentially other bad actors) will have the power to steal your funds. Even if they roll back the update, they’ve already lost all trust from the community.

    What they don’t understand is that having a feature in the firmware to send the seed phrase to a computer and their servers goes against everything their whole business was built on. I don’t care how much encrypted it is. They will also hold the encryption keys, so they’ll actually have full access.

    Hopefully more companies will step up adoption, add more cryptos to their Hardware Wallets, and fill the space left by Ledger.

  14. I went to their Twitter and they’re doubling down. They tweeted this: “If you are not comfortable with ID Verification – then you can either choose a different service or you can build your own recover services.”

  15. Everyone on a old Ledger nano S is fine. Only critical bug updates rolling out after 2.1.0.

    The memory is too small, the chipset is too old for these new features, therefore luckily Ledger cant fuckup these devices any longer.

    At least It might release some stress for people owning one of those.

  16. I’m just glad FTX takes care of my funds so I don’t have to worry about this

  17. It’s game over for Ledger.

    I listened to their Twitter spaces and they just doubled down:

    – They used so many words to explain that it’s “opt in service”;

    – They used most of the time to explain their procedures;

    – They said that their product is not for people with more than $50k.

    But what they failed to address is the most common question/concern:

    Can Ledger, technically, expose the seed phrase to the device it’s connected to?

    And they fell back on “we don’t do that”, “it doesn’t work like that”, “just don’t opt in”, etc.

    It’s over for Ledger.

  18. “Pitchfork and Flaming Torch NFTs! Come get your Pitchfork and Flaming Torch NFTs!

  19. Let’s all just accept the elephant in the room with all of this : how the fuck do any of us know what is going on that (or any device) during any firmware updates ? Do you know? Cos I sure as hell don’t, for all I know they could have had this on there from day dot and I wouldn’t know about it. All of this is based on trust at some level. All of it – how do you know Trezor or ledger don’t send out your seed phrase when you initialise the devices? You simply don’t.

  20. They should have just released a separate device offering this feature. Let people choose that device and others stay out of of it. You have to opt in but the concerns of how this can effect all users is legitimate.

  21. Their previous leak put my name, email, AND physical address online. I’m now outed as self custody crypto owner. Big safety issue.

  22. I would like to extend an apology to the 10+ ppl I have recommended buying a ledger over the last few years

  23. I absolutely cannot believe that Ledger thought this was a good idea, as it breaks all of the previous reasoning for using their hardware wallet (cold storage) and introduces KYC directly into the mix for any who opt into this.

    Ledger have lost the plot and gotten blinded by their success, and their aggressively closed-source nature makes it even harder to trust any of their claims.

    Time to get your hammers out and then find a new, open-source, freedom-oriented hardware wallet.

  24. As someone who finally pulled the trigger on a ledger and got serious about self custody this past year, this is upsetting.

  25. I thought the whole point was that nobody else had the seed phrase? I thought the device generated the seed phrase and that was it.

  26. Such a weird decision to make unless you’re setting up your clients to get rugpulled or allowing a government to confiscate their crypto.

  27. Thank you for making Megathreads about major news events. Very much needed and awesome to see in the subreddit

  28. If they don’t back-peddle on this feature ASAP, they basically made themselves obsolete as a cold wallet solution.

  29. STM within the ledger (hardware secure module) is a mini computer, Ledger made update to firmware that controls this mini computer, giving it ability to extract a encrypted copy of private key out from the secure hardware module. The company is claiming this is not a new attack vector for those who do not subscribe to the opt in function of Ledger Recover. But how is it not a new attack vector since now we know fragments of private key data can be coaxed out from the STM, by manipulating this firmware capability?

    Ledger claims that you need physical interaction to confirm this activity, how do we trust that a message/transaction that we are signing is not a guised message to do just that?

    For those reasons, we need more clarity and I do not wish to spark panic. Just be aware of this developing area of concern.

  30. just when I finally finish moving everything from exchanges to my ledger this fucking happens

  31. I wonder what happened in that meeting where they discussed this seed backup as a brilliant idea.

    They Should fire everybody who was involved.

    Ledger around your neck and now this shit… this is a truly marketing dream team they better be setting up their resumes for Wendy’s and McDonald.

  32. This could become a case study lol, definitely a New Coke moment.

    Putting the fiasco aside, let’s say, “Fine, we could use a recovery system.” Trezor’s shamir system is the way to do it because at least YOU decide by your own will and parameters how many puzzle pieces you would produce, where they should be stored and how many pieces you need to unlock your seed phrase.

    Ledger, upon introducing the firmware update, made that decision for you involving third parties, effectively strangers.

    Ledger can only fix this by going open source. Broke the trust of your brand again? Remove the need for trust.

  33. The whole point of a ledger is that it’s fully off line, your seed is never at risk.

    Ledger just made a big RIP next to its name by making this dumb decision.

  34. I vaguely remember in 2017 when researching hardware wallets that there was an exploit with trezor where hackers could gain access to the seed phrase. So I chose a ledger and now this.

    So is there any hardware wallet that will ever be safe? Probably not

  35. Is it possible to go after ledger since the product is no longer what it was sold as… I’d really like my money back frankly…

  36. Total shit show going on now. #1 Cryptocurrency Hardware Device has now entered PR hell.

  37. They really dropped the ball on this one and going to lose a large portion of market share

  38. Having this feature exist is bigger security risk than any benefit it can offer to offset it. How stupid! If ledger is taken over by the government or hacked (possibly by an employee) we are all doomed! Why would we risk this by staying on ledger! I was about to order few HWs for friends I will be ordering a HW that has not broken public trust and is open source

  39. So all of us buy a product and then they change the product. Sounds like even wallets can get rugged. What a time to be alive

Comments are closed.