Notes on an active crypto phishing campaign impersonating Ledger — a verified Google advertiser buying "ledger" ads pointing at a typosquat that walks you through a fake firmware update and harvests your recovery phrase. Happened with a Colombian IP, googled Has promoted all sorts of things, and has over 900 ads. When filtered by Site expects the seed to be sent first. The Some routes like: return a fake cloudflare Ray ID and IP are totally random and come with the HTML. Random routes return the default apache When you The googlebot user agent also triggers this behavior: When one googles Company appears to be part of They appear to be famous for promoting scams. Medium tradecraft, high impact. The impact is the scary part: the target is the recovery phrase, so a successful capture means instant, irreversible, total loss — nothing like a stolen card you can freeze. The delivery is strong too — abusing a verified Google advertiser with 900+ ads puts the phish at the top of results for high-intent users. The tradecraft is decent but not elite: the fake cloudflare 403, the UA-gated cloaking (googlebot included), the progressive-save exfil, and the accurate reuse of real Ledger features (Shamir, passphrase, per-model flows) are all above baseline. The double seed-entry to reduce typos shows the operator cares about sweep reliability. The hygiene is sloppy though — same-day burner domain, a duplicated “Nano S Plus” in the device list, plain apache with no real CDN. Disposable, run-it-for-a-few-days infra. Net: not the most advanced kit, but verified-advertiser reach + seed-phrase target makes the expected loss per victim far higher than a normal card skimmer. The weakest link isn’t technical — it’s that “verified advertiser” reads as “safe” to exactly the users this funnel is built to drain. PhaaS research: a Ledger seed phishing campaign from a Google ad
PhaaS research
campaign
ledger crypto -ledger.com.
https://www.ledger.com.starts-live.app/185.224.129.208:443 — doesn’t appear to be CFAS62068 - SpectraIP B.V.2026-07-11 (same as found date)2027-07-11https://www.ledger.com/google ads
Ledger.com | Start Now — Ledger one stop solution to manage your portfoliohttps://play.google.comadvertiser
WHATECH MOBILE CO., LIMITEDtrue — has passed the verification process and is a verified advertiser on Google Ads.AR17224474171715616769yesterday there’s a recurring pattern of empty video ads. And ads about mining and bybit have been seen.behavior (from the user perspective)
ledger and this site appears in the ads.https://www.ledger.com.starts-live.app/cont.php, which is a landing page with a start button.Once your Ledger device is successfully connected, please click "Next" to continue & Download — then makes the user wait.New security firmware 2.5.1 — A critical mandatory firmware update is now available. Please update your device.Before performing the update, confirm you have access to your wallet recovery. Choose the type below. → Recovery phrase and Shamir Backup.Recovery phrase option shows a form to enter the 24 | 12 words of the recovery phrase.passphrase (which is a feature of Ledger devices)./pages/ledger-wallet.requests
seed
POST /api.php?progressiveSave= HTTP/1.1
Cookie: PHPSESSID=6inr9h5ubaq4imcbfl1dqi8p3o
Accept: */*
Accept-Language: en-US,en;q=0.6
Content-Type: multipart/form-data; boundary=---011000010111000001101001
Origin: https://www.ledger.com.starts-live.app
Priority: u=1, i
Referer: https://www.ledger.com.starts-live.app/start.php
Sec-Ch-Ua: "Not;A=Brand";v="8", "Chromium";v="150", "Brave";v="150"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Sticky_lb_sess_id=p4nqgaev0f; phpsessid=rt6i6a26scoaedtvtffo8e6qv9:
Host: www.ledger.com.starts-live.app
Content-Length: 310
-----011000010111000001101001
Content-Disposition: form-data; name="sessionId"
e5eb-8d48-0c6f-35e4
-----011000010111000001101001
Content-Disposition: form-data; name="seed"
abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
-----011000010111000001101001--passphrase
POST /api.php?progressiveSave= HTTP/1.1
Cookie: PHPSESSID=6inr9h5ubaq4imcbfl1dqi8p3o
Accept: */*
Accept-Language: en-US,en;q=0.6
Content-Type: multipart/form-data; boundary=---011000010111000001101001
Origin: https://www.ledger.com.starts-live.app
Priority: u=1, i
Referer: https://www.ledger.com.starts-live.app/start.php
Sec-Ch-Ua: "Not;A=Brand";v="8", "Chromium";v="150", "Brave";v="150"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Cookie: sticky_lb_sess_id=p4nqgaev0f; PHPSESSID=rt6i6a26scoaedtvtffo8e6qv9
Host: www.ledger.com.starts-live.app
Content-Length: 229
-----011000010111000001101001
Content-Disposition: form-data; name="sessionId"
e5eb-8d48-0c6f-35e4
-----011000010111000001101001
Content-Disposition: form-data; name="passphrase"
ashkjk
-----011000010111000001101001--
abandon abandon … about value is the public all-zeros BIP-39 test mnemonic — used here as the sample, not real victim data.endpoints / routes
/ — redirects to google./start.php — starts the social engineering layer with 6 different devices to pick; Stax, Ledger Nano S, Ledger Nano X, Ledger Nano S Plus, Ledger Nano S Plus and Ledger Nano S Plus./cont.php — actual landing, with hrefs to /start.php./robot.txt — Not found (apache default)./config.php — File not found (not default apache).
/.git/.env403 which shows The server understood the request, but access is denied.Not Found though.curl or wget this domain, you get the same fake cloudflare page, however when you add the User-Agent it disappears.Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)Not Found
The requested URL was not found on this server.
Apache Server at www.ledger.com.starts-live.app Port 443company
WHATECH MOBILE CO., LIMITED there are tons of sketchy looking websites.mobisummer — https://www.mobisummer.com/.rating
threat-intel phishing phaas crypto ledger seed-phrase malvertising