EXCLUSIVE. Ledger: hackers of customer database arrested

The second, Davide M., a 28-year-old Portuguese national, was arrested in Portugal and handed over to the French authorities in November 2022. He has been indicted and remanded in custody.

For several months, the two hackers sold under the table the data of 290,000 Ledger customers obtained via the Shopify e-commerce platform.

This massive data leak led to a wave of "phishing" - a technique designed to impersonate the company - among owners of digital wallets held by the world leader in digital asset custody. Ledger denies any link between the data leak and the phishing wave.

The leak concerned the names, telephone numbers, email addresses and also physical addresses of customers. This database was used to deliver Ledger products to homes.

Ledger was hit by a second hack in June 2020. This hack, which this time affected one million people, is believed to be attributable to a flaw in an API key. The hacker has not been arrested.

The French unicorn has been sued for both hacks. When questioned, Ledger, which passed the 6 million Nano (S and X) sold mark at the end of 2022, declined to comment.

How were the two people responsible for the first hack, Tassilo H. and Davide M., found?

It all started in January 2021. At the time, Ledger and the French authorities had little information about those responsible for the hack, which took place in April 2020, until an Internet user contacted the French company on Twitter.

The Internet user, who introduced himself as the administrator of a cryptocurrency investment site, claimed to know the identity of the person responsible for the hack. To prove his bona fides, he provides several screenshots of Telegram group exchanges in which the resale of company databases is mentioned. Ledger is one of the companies mentioned.

On these channels, Tassilo H. (using the pseudonyms "TASS" or "BigBoy") boasts about hacking Ledger's customer database and provides truncated photos showing extracts from the customer file.

Rapidly identified by the FBI, the Austrian is arrested in the process. It is still January 2021. When questioned, he admitted to the offences, but said he had "not acted alone". At the time, he named a certain Davide M. as the main culprit.

According to exchanges found, the two men had known each other since at least 2019.

This is where the investigation takes on an international dimension. Davide M. was identified during 2022 and summoned by the Portuguese authorities in the summer. When he failed to appear, a European arrest warrant was issued for him. He was then arrested.

Analysis of the devices belonging to him showed that he too boasted on Telegram that he was behind the extraction of data from several companies, including Ledger. And he doesn't seem to be up to his first trick...

Analysis of data from his smartphone and hard drives also proved that in spring 2022 he created a site imitating the cryptocurrency exchange platform, Gate. The aim? To retrieve customer IDs and steal the contents of their wallets.

A leak at Shopify

To get their hands on Ledger's customer file, Tassilo H. and Davide M. did not use malware. They contacted three Filipino subcontractors of the Canadian giant Shopify, which provides e-commerce solutions. It was via Shopify that Ledger sold its products online.

The contact took place on Shopify's support chat with a certain Carlo P.

It was the latter who then allegedly extracted part of Shopify's database, including Ledger's customer file. "It is incomprehensible that Shopify's subcontractors should have had uncontrolled access to such a sensitive database," stresses a source close to the case.

As a result of the hacking and the sale of the file, many Ledger customers have been affected by phishing attacks from people posing as Ledger.

The process is often the same: the thieves invite customers to visit a fake site on the pretext that they need to update their software. Once logged in, they are asked to provide the recovery key for their crypto account consisting of 24 words, which allows the thief to reconstitute the wallet on his side and recover the funds.

According to the courts, at least 150 people have fallen victim to these practices. According to our information, some victims have lost more than a million euros.

In two years, Tassilo H. and David M. are said to have recovered 80,000 and 70,000 euros respectively through the sale of customer files. According to one expert, this sum is probably undervalued.

The trial of Davide M. is expected to take place in France within a relatively short timeframe, probably in the coming months. The evidence gathered seems sufficient for the courts, which should not have to carry out many further investigations.

Davide M. has been indicted for six offences: organised gang fraud, organised gang theft, criminal association with a view to committing a crime, fraudulent access to an automated data processing system, fraudulent maintenance in an automated data processing system, fraudulent extraction of data from an automated data processing system.

He faces up to ten years in prison and a €1 million fine.

Tassilo H., meanwhile, could face trial in the United States.