A new phishing campaign is targeting Ledger users, following a data breach at Global-e, a third-party e-commerce provider used by the hardware wallet company. Attackers use stolen order information to send personalized scam emails impersonating Ledger and falsely mentioning a merger with rival manufacturer Trezor.
In brief
- Hackers leveraged leaked Global-e order data to send personalized phishing emails pretending to be Ledger support teams.
- The scam messages falsely claim a merger between Ledger and Trezor and trick users into “securing” their wallets via malicious links.
- Fake websites copy Ledger's branding and request the 24-word recovery phrases, giving attackers direct access to wallets.
- The incident follows previous data leaks at Ledger, despite a marked decline in overall crypto phishing losses in 2025.
Global-e leak exploited to target Ledger customers
Ledger has confirmed that Global-e recently suffered a security breach affecting its customers' data. The information exposed includes names, email addresses, phone numbers and order details. Shortly after this disclosure, users began reporting phishing emails imitating official communications. Screenshots are already circulating on X.
These messages urge recipients to protect their assets in response to an alleged merger. The links redirect to fake sites mimicking those of Ledger, which trick people into entering their 24-word recovery phrase – giving hackers full access to the funds.
This targeted email phishing relies on real order data, making messages difficult to detect. References to products or purchase dates reinforce their credibility.
The campaign features several recurring patterns:
- False announcement of Ledger–Trezor merger
- Use of real personal information
- Encouragement to migrate wallets via external links
- Fake sites imitating Ledger interface
- Explicit request for recovery phrase
Global-e said it had opened an internal investigation and is cooperating with cybersecurity companies to assess the extent of the leak. No financial data would have been compromised, the incident being limited to contact and order data. The number of customers affected has not been communicated.
Ledger, for his part, reported the incident to the relevant authorities and is working with law enforcement. The company recalls that it never ask recovery phrase or private key.
Precedents at Ledger, but an overall downward trend
This new incident is in addition to several security breaches that have affected Ledger in the past. In 2020, a massive leak exposed the personal data of hundreds of thousands of users, including email addresses, phone numbers and postal addresses. Victims had reported a wave of phishing and intimidation attempts.
The same year, an investigation revealed that a former Shopify employee had leaked the data of nearly 20,000 customers. Later, another leak led to the publication of information regarding around 292,000 users.
More recently, an attack leveraging malicious code injected into a shared library emptied some wallets connected via decentralized applications. Approximately $600,000 was stolen.
Despite these incidents, phishing losses have dropped significantly. In 2025, they amount to $83.85 million, a decrease of 83% compared to the previous year. Losses are more frequent during peaks of market activity: the largest attack recorded this year, in September, caused damage of $6.5 million via permit signing abuse.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
