tl;dr
An investigation by Rekt Builder has uncovered that Ledger Live, the official software for managing Ledger hardware wallets, has been covertly tracking user activities, including installed apps and crypto holdings. Attempts to disable the tracking feature in Ledger Live resulted in the software brea...
An investigation by Rekt Builder has raised concerns about the extent of data collection by Ledger Live, the official software for managing Ledger hardware wallets. The developer claims that Ledger Live tracks every move users make, including the apps they install and the crypto they hold.
Taking to X on December 27, Rekt Builder claims that Ledger Live embeds the genuine check into the app’s listing procedure. As such, it means that whenever you plug in your Ledger device and open Ledger Live, the software checks whether the device is genuine and sends this information to Ledger’s servers. This data includes the device’s serial number, firmware version, and the list of apps installed. Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings.
To determine whether Ledger was trailing user activity, the developer attempted to turn off the remote tracking feature in Ledger Live, but this was impossible. Any attempt to disable tracking resulted in the software breaking. This suggests that Ledger had intentionally designed Ledger Live to track user activity.
Rekt Builder’s findings raise serious concerns about the privacy of Ledger hardware wallet users. If Ledger is tracking each move users make, then it is possible that this data could be used to identify users and track their crypto transactions. This can be dangerous because a hack into any of Ledger’s centralized servers can mean malicious agents can control critical data, which can then be used to target individuals with large holdings of Bitcoin and other coins.
By the time of writing, Ledger has not yet responded to Rekt Builder’s allegations. This is not the first time Ledger has been blamed for privacy violations. In 2022, Ledger was accused of collecting data on users’ activity, including the websites they visited and the coins they traded. In July 2023, a security researcher identified a weakness in Ledger’s Node Package Manager (NPM) account. This flaw enabled an attacker to steal user data, including email addresses and purchase history. It is estimated that over 270,000 accounts were likely impacted.
Disclaimer:
This is not financial advice. Please do your own research before investing in any asset.