Ledger-Trezor Fake Merger Phishing Scam Targets Crypto Users

The phishing campaign, which began circulating shortly after January 5, leverages the credibility of an actual security incident. On that date, Ledger disclosed to customers that its third-party e-commerce partner, Global-e, had suffered a data breach. The breach exposed customer information including names, email addresses, phone numbers, and order details. Attackers used this legitimate breach information to craft highly convincing phishing emails falsely announcing a strategic merger between Ledger and Trezor.

The fraudulent communications, screenshots of which were shared on social media platform X, contained detailed corporate language. “We are pleased to announce that after months of strategic discussions, Ledger and Trezor have finalized a merger agreement,” the message read, claiming the partnership would “unite two industry leaders” to accelerate innovation and expand product offerings. The sophisticated nature of the scam extended to a fake website designed to mimic official Ledger and Trezor branding, where users were instructed to “migrate” their wallets by entering their 24-word recovery phrases—the cryptographic keys to their cryptocurrency holdings.

In response to the attack, Global-e has launched an internal investigation into the original data breach and is working with cybersecurity experts to assess the incident’s full scope. The company confirmed the breach was limited to contact and order information but has not disclosed the exact number of affected users. Meanwhile, Ledger has reportedly notified relevant data protection authorities and is cooperating with law enforcement agencies regarding the phishing campaign.

The incident underscores the critical vulnerability created by third-party vendor relationships in the cryptocurrency ecosystem. While hardware wallets like those from Ledger and Trezor are marketed as secure solutions for storing digital assets like Bitcoin (BTC) and Ethereum (ETH), their dependence on e-commerce and marketing partners creates potential attack vectors. The breach at Global-e provided attackers with precisely the verified, context-rich data needed to make their phishing attempts appear authentic to concerned customers.

This latest episode continues a troubling pattern of security incidents for Ledger. In 2020, attackers accessed the company’s e-commerce and marketing databases, exposing the personal information of hundreds of thousands of users. The disclosed data included email addresses, names, phone numbers, and physical addresses, leading to widespread phishing campaigns and threats against affected customers. The company faced significant public criticism for its delayed disclosure and inadequate safeguards, resulting in a formal lawsuit being filed against both Ledger and its e-commerce platform provider, Shopify.

Ledger later confirmed that a rogue Shopify employee was responsible for leaking the personal details of approximately 20,000 customers. This was followed by a separate attack later that same year, in which the data of about 292,000 customers was published online. More recently, the firm suffered another security incident resulting in the theft of approximately $600,000 in cryptocurrency after a wallet drainer was inserted into a library used by multiple decentralized applications to connect to Ledger devices.

The recurring nature of these breaches—spanning direct database compromises, third-party vendor failures, and supply chain attacks—raises serious questions about the security posture of a company whose core product promise is asset protection. Each incident has eroded user trust and provided cybercriminals with fresh ammunition for social engineering attacks, as demonstrated by the current fake merger phishing campaign exploiting the Global-e breach.