Fake Ledger Live Chrome Extension Stole 1.4M XRP, Researchers Claim https://t.co/TznMXKZwej pic.twitter.com/sTCWKw07s9 — Crypto XEGA – كريبتو زيجا (@CryptoXega) March 25, 2020
On March 24, it has been reported that the research team “xrplorer forensics” claimed that fake Ledger Live extensions are being used to collect user backup passphrases:
“They are advertised in Google searches and use Google Docs for collecting data. Accounts are being emptied and we have seen more than 200K XRP being stolen the past month alone.”
However, revising this initial figure, xrplorer forensics later amended its estimate to “close to 1.4M.”
According to the researchers, most of the stolen XRP appears to still be held in accounts, with a proportion cashed out via the crypto exchange HitBTC.
We were a bit quick to add a 200K XRP figure to this. It is close to 1.4M. — xrplorer forensics (@xrpforensics) March 24, 2020
By sharing a screenshot of a post request from the alleged scam, xrplorer forensics warned the community against downloading tools for their hardware wallets from any developer other than the vendor directly, in this case, french crypto hardware wallet manufacturer, Ledger.
As of press time, two “Ledger Live” extensions appear on the Google Store for the Chrome browser, both of which include multiple user reviews that appear to corroborate xrplorer forensics’ warnings against the scam.
Likewise, in a series of parallel tweets between March 20 and March 25, xrplorer forensics claimed that close to 300 million XRP currently residing in XRP accounts is flagged as fraudulent.
Close to 300 million XRP is currently residing in XRP accounts, flagged as fraudulent, according to @xrpforensics. The vast majority are remaining funds from the PlusToken exit, but 13M comes from other thefts and scams. — xrplorer (@xrplorer) March 23, 2020
They claim that the vast majority of it comes from the PlusToken exit scam. 13 million XRP is derived from other thefts and scams in their estimation.
In a tweet yesterday (March 25), addressed to crypto exchange bithunter.io, the researchers asked why AML (anti-money-laundering) alerts were not observed for a series of large and allegedly suspicious transactions. They contend that one-third of all XRP bithunter has received is from suspect accounts on their advisory list.
We've been trying to warn https://t.co/Cax6lIioVg about incoming funds from frauds and scams, but without response. One-third of all XRP they've received is from accounts in our advisory list. — xrplorer forensics (@xrpforensics) March 24, 2020
As of March 20, the researchers said that they had been noticing a “consolidation of funds from various scams happening right now,” appealing to exchanges to stay alert to the nature of incoming payments.
At the start of this month, Ledger had itself cautioned its users against the fake Ledger Live extension, first discovered by Harry Denley, the Director of security at the blockchain interface platform MyCrypto.
Thus, Denley, like xrplorer forensics, had identified that the fake extension was being propagated by a GoogleAds campaign.