Fake Ledger Email
I recently received this email claiming to be from Ledger. I immediately knew it was a scam.

I decided to take a peek at vaultscanner.com
just for fun. The site looked like a genuine Ledger site. This site was created with more effort than other scam sites I’ve seen.

I clicked on a random Ledger device and it played a “connecting” animation.

After that I got an error. It’s obviously fake. How can my Ledger data be damaged if I didn’t connect a Ledger device to begin with? I don’t even own one.

And of course, the site then prompts for the recovery phrase.

I checked the browser dev tools to see where this phrase was going to. It was getting sent as a query string to /data1.php
as a POST
request.

Writing a Python Script
I had an idea to write a quick Python script to send fake data to the scammers. This is something I’ve done in the past to MetaMask scammers: Retaliating Against MetaMask Scammers With Python.
With some quick research, I found that the recovery phrases for Ledger devices are created using the same wordlist that MetaMask uses. I also learned that Ledger recovery phrases are 24 words long. With this information I was ready to start writing a script.
Here’s the script I came up with:
|
|
Then I just let it run for a while to give the scammers a ton of fake data.

I hope I made scamming/phishing more difficult for them :)