Davis Cat

PhaaS research: a Ledger seed phishing campaign from a Google ad

Notes on an active crypto phishing campaign impersonating Ledger — a verified Google advertiser buying "ledger" ads pointing at a typosquat that walks you through a fake firmware update and harvests your recovery phrase.

threat-intel phishing phaas crypto ledger seed-phrase malvertising

PhaaS research

campaign

Happened with a Colombian IP, googled ledger crypto -ledger.com.

  • Domain: https://www.ledger.com.starts-live.app/
  • IP: 185.224.129.208:443 — doesn’t appear to be CF
  • ASN: AS62068 - SpectraIP B.V.
  • Registered On: 2026-07-11 (same as found date)
  • Expires On: 2027-07-11
  • Real: https://www.ledger.com/
  • message: Ledger.com | Start Now — Ledger one stop solution to manage your portfolio
  • url: https://play.google.com

advertiser

  • Name: WHATECH MOBILE CO., LIMITED
  • Verification: true — has passed the verification process and is a verified advertiser on Google Ads.
  • Based: Hong Kong
  • Advertiser id: AR17224474171715616769

Has promoted all sorts of things, and has over 900 ads.

When filtered by yesterday there’s a recurring pattern of empty video ads. And ads about mining and bybit have been seen.

behavior (from the user perspective)

  • googles ledger and this site appears in the ads.
  • clicks.
  • redirected to https://www.ledger.com.starts-live.app/cont.php, which is a landing page with a start button.
  • shows: 6 options (wallet types).
  • shows: Once your Ledger device is successfully connected, please click "Next" to continue & Download — then makes the user wait.
  • shows: New security firmware 2.5.1 — A critical mandatory firmware update is now available. Please update your device.
  • shows: Before performing the update, confirm you have access to your wallet recovery. Choose the type below.Recovery phrase and Shamir Backup.
  • Recovery phrase option shows a form to enter the 24 | 12 words of the recovery phrase.
  • will force you to input the recovery phrase twice.
  • asks you for an optional passphrase (which is a feature of Ledger devices).
  • once the data is submitted, redirects them to /pages/ledger-wallet.

requests

seed

POST /api.php?progressiveSave= HTTP/1.1
Cookie: PHPSESSID=6inr9h5ubaq4imcbfl1dqi8p3o
Accept: */*
Accept-Language: en-US,en;q=0.6
Content-Type: multipart/form-data; boundary=---011000010111000001101001
Origin: https://www.ledger.com.starts-live.app
Priority: u=1, i
Referer: https://www.ledger.com.starts-live.app/start.php
Sec-Ch-Ua: "Not;A=Brand";v="8", "Chromium";v="150", "Brave";v="150"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Sticky_lb_sess_id=p4nqgaev0f; phpsessid=rt6i6a26scoaedtvtffo8e6qv9:
Host: www.ledger.com.starts-live.app
Content-Length: 310

-----011000010111000001101001
Content-Disposition: form-data; name="sessionId"

e5eb-8d48-0c6f-35e4
-----011000010111000001101001
Content-Disposition: form-data; name="seed"

abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
-----011000010111000001101001--

passphrase

POST /api.php?progressiveSave= HTTP/1.1
Cookie: PHPSESSID=6inr9h5ubaq4imcbfl1dqi8p3o
Accept: */*
Accept-Language: en-US,en;q=0.6
Content-Type: multipart/form-data; boundary=---011000010111000001101001
Origin: https://www.ledger.com.starts-live.app
Priority: u=1, i
Referer: https://www.ledger.com.starts-live.app/start.php
Sec-Ch-Ua: "Not;A=Brand";v="8", "Chromium";v="150", "Brave";v="150"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Sec-Gpc: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/150.0.0.0 Safari/537.36
Cookie: sticky_lb_sess_id=p4nqgaev0f; PHPSESSID=rt6i6a26scoaedtvtffo8e6qv9
Host: www.ledger.com.starts-live.app
Content-Length: 229

-----011000010111000001101001
Content-Disposition: form-data; name="sessionId"

e5eb-8d48-0c6f-35e4
-----011000010111000001101001
Content-Disposition: form-data; name="passphrase"

ashkjk
-----011000010111000001101001--

Site expects the seed to be sent first.

The abandon abandon … about value is the public all-zeros BIP-39 test mnemonic — used here as the sample, not real victim data.

endpoints / routes

  • / — redirects to google.
  • /start.php — starts the social engineering layer with 6 different devices to pick; Stax, Ledger Nano S, Ledger Nano X, Ledger Nano S Plus, Ledger Nano S Plus and Ledger Nano S Plus.
  • /cont.php — actual landing, with hrefs to /start.php.
  • /robot.txt — Not found (apache default).
  • /config.phpFile not found (not default apache).

Some routes like:

  • /.git
  • /.env

return a fake cloudflare 403 which shows The server understood the request, but access is denied.

Ray ID and IP are totally random and come with the HTML.

Random routes return the default apache Not Found though.

When you curl or wget this domain, you get the same fake cloudflare page, however when you add the User-Agent it disappears.

The googlebot user agent also triggers this behavior: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

Not Found
The requested URL was not found on this server.

Apache Server at www.ledger.com.starts-live.app Port 443

company

When one googles WHATECH MOBILE CO., LIMITED there are tons of sketchy looking websites.

Company appears to be part of mobisummerhttps://www.mobisummer.com/.

They appear to be famous for promoting scams.

rating

Medium tradecraft, high impact.

The impact is the scary part: the target is the recovery phrase, so a successful capture means instant, irreversible, total loss — nothing like a stolen card you can freeze. The delivery is strong too — abusing a verified Google advertiser with 900+ ads puts the phish at the top of results for high-intent users.

The tradecraft is decent but not elite: the fake cloudflare 403, the UA-gated cloaking (googlebot included), the progressive-save exfil, and the accurate reuse of real Ledger features (Shamir, passphrase, per-model flows) are all above baseline. The double seed-entry to reduce typos shows the operator cares about sweep reliability.

The hygiene is sloppy though — same-day burner domain, a duplicated “Nano S Plus” in the device list, plain apache with no real CDN. Disposable, run-it-for-a-few-days infra.

Net: not the most advanced kit, but verified-advertiser reach + seed-phrase target makes the expected loss per victim far higher than a normal card skimmer. The weakest link isn’t technical — it’s that “verified advertiser” reads as “safe” to exactly the users this funnel is built to drain.