Review and sign transactions from a single secure screen with Ledger Flex™

Discover now

Thought leadership | 08/03/2021

Pegasus Spyware: Is Your Crypto Secure?

The following article summarizes the technical blog recently published by the Ledger Donjon team. You can click here to read it.

Software programs designed to hack our personal devices are getting more and more sophisticated. The Pegasus spyware scandal highlights the threat this software poses to our technology and information. 

Spyware have also gained the attention of the crypto industry, as an increasing number of users and investors rely on software wallets running on unsafe computers and smartphones. Web3 digital assets, such as Bitcoin or Ethereum, should not be stored on Web2 devices (laptops and smartphones). This article explains why.

“Zero-days” & “zero-clicks” spyware proliferates

In 2020, investigative reporters revealed that tens of thousands of citizens, activists, and political leaders were targeted by clients of the spyware maker, NSO Group. Recently, the spyware became a true diplomatic scandal with the revelation that 14 heads of States and governments were former targets, including President Macron of France and King Mohammed V of Morocco. The spyware provided full access to their smartphones.

How did this spyware become such an insidious surveillance tool? Simply because of a mix of “zero-day” and “zero-click” features. But what does that mean, exactly? 

A “zero-day” attack occurs when hackers exploit a vulnerability in an app or device unknown to the vendor of the target software. In the Pegasus spyware case, entry points are messaging apps (iMessage, WhatsApp, SMS…). 

On the other hand, a “zero-click” attack exploits vulnerabilities without requiring a target to click anywhere. These vulnerabilities gave the attacker almost complete access to targeted devices and their data: camera, microphone, geolocation, images, conversations, etc. 

A “zero-day zero-click attack” is a combination of the two above. Worried, yet?

These attacks harm your digital assets, too 

Unfortunately, “zero-day” and “zero-click” attacks are not limited to Pegasus spyware. If you thought your software wallets were inherently secure, think again. The following videos show how easily our Ledger Donjon Team was able to hack smartphones and access the seed phrases of MetaMask, Coinbase, and Blockchain.com software wallets.

The next video simulates a malware that steals the user password entered by the victim. It is then used to decrypt the Electrum wallet data and to display the seed.

The following video highlights malware disguised as a fake Bitcoin ticker widget. Malware exploits a device vulnerability to exfiltrate the encrypted seed to a remote server. The server then bruteforces the password to decrypt the seed: 

The next video shows an equivalent process with a Coinbase Wallet:

This last video demonstrates spyware targeting a Blockchain.com wallet. Once user has authenticated using the victim fingerprint, encryption key is unlocked and wallet data is decrypted: 

Overall, the process is actually quite simple. The hacker sends you a message without you being notified. The message exploits a vulnerability allowing the attackers to spy on your app and exfiltrate your seed phrase through the internet. The hacker then sends the seed back to their own computer. No click is needed and it’s a malicious exploit, to say the least. 

As for your crypto? Gone.

The lesson is clear: don’t put your Web3 digital assets on Web2 devices like laptops and smartphones! They’re not secure by design, meaning they run on software programs (iOS or Android) that don’t allow you to leave your belongings in a safe enclave

Why safety in crypto needs to be hardware-based?

The crypto universe is full of treasure, but one’s adventure should ALWAYS be safe. Here’s why our hardware wallets, Ledger Nano S and Nano X, are the most secure storage solutions for your digital assets:

  • First, they protect you against malware, by design. Our hardware wallets are independent devices that sign transactions on their own. The cryptographic materials of private keys always stay inside the device. They are never sent to the application they communicate with. Hence, your keys are kept offline where malware can’t access them. 
  • Second, our devices embed a screen allowing you to verify your actions when you interact with your secret keys. When you make transactions on a mobile phone or desktop computer, malware can access your information or even swap/modify your addresses. Our on-device authentications are very efficient countermeasures.

Offline keys and on-device authentications are critical tools for fully securing digital assets on hardware devices. 

Conclusion:

As cryptocurrencies become more common, attacks against wallets will, unfortunately, become more and more sophisticated. At Ledger, we aim to bring you the most secure experience when managing your digital assets.

Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter.

Learn more about how we manage your data and your rights.