The Ledger keeps tabs on users by monitoring when they activate their hardware wallets and tracking installed applications.
A developer named REKTBuildr raised concerns on X, suggesting that Ledger Live, a popular crypto wallet platform, might be collecting user data. According to REKTBuildr, the tool that verifies the device is part of the issue, and attempts to turn it off were unsuccessful.
REKTBuildr thinks the device might know when users connect their hardware wallets and could track the apps installed. This, in turn, raises questions about how anonymous Ledger Live really is.
The developer suggests that the company offer a choice to activate or deactivate tracking. This would give users the freedom to use fully autonomous devices according to their preferences.
Ledger’s security challenges
On Dec.14, a hacker replaced the Ledger Connect Kit with a fake version. Fortunately, users’ devices and the Ledger Live app remained secure. The breach resulted from a phishing attack on a former employee, granting the hacker access to withdraw funds using WalletConnect. Ledger deactivated the scammer’s wallet and removed the malicious file within approximately 5 hours. While the complete extent of the damage was not disclosed, Ledger has taken steps to compensate affected users.
In response, Ledger will return $600,000 to users hit by the hack. They’re also working on better security to prevent this, focusing on a new standard with clear signatures to protect users and improve transparency in decentralized apps.
In Nov., ZachXBT, a crypto analyst, found a fake Ledger Live app on the Microsoft Store, appearing on Oct.19. This raised concerns from a previous security issue on June 25, 2020, where hackers broke into Ledger, putting users’ personal info at risk. In that incident, unauthorized access exposed a list of customers’ names, addresses, and phone numbers through an exploited API key.