Ledger customers woke up on Jan. 5 to an email no one wants to see: their names and contact information had been exposed through a breach at Global-e, a third-party payment processor.

The company clarified what hadn’t been compromised: no payment cards, no passwords, and critically, no 24-word recovery phrases. The hardware remained untouched, the firmware secure, the seed storage intact.

For a data breach, this is the best-case scenario. Except in crypto, a leaked shipping label can be the first step in a phishing funnel or, in rare worst-case scenarios, a knock at the door.

The real vulnerability isn’t the wallet

BleepingComputer reported that attackers accessed shopper order data from Global-e’s cloud system, copying names, postal addresses, emails, phone numbers, and order details.

Related Reading

A fake delivery driver stole $11 million in crypto this weekend as home invasion heists increase – report

Physical crypto security practices become increasingly important as wrench attacks continue worldwide.

Nov 24, 2025
·
Liam 'Akiba' Wright

This is a “commerce-stack breach,” in which no cryptographic keys were touched, no devices were backdoored, and no exploit defeated Ledger’s secure element.

What attackers obtained is more practical: a fresh, high-quality contact list of confirmed hardware wallet owners with home shipping addresses.

For phishing operators, this is infrastructure-grade targeting data. The hardware wallet did its job, but the surrounding commercial apparatus provided attackers with everything they needed.

Ledger has lived through this before. In June 2020, an attacker exploited a misconfigured API key to access the company’s e-commerce database. A million email addresses were exposed, and 272,000 records included full names, postal addresses, and phone numbers.

Bitdefense characterized it as a “golden opportunity for scammers.”

The attacks weren’t subtle. Fake breach notices urged users to “verify” recovery phrases on cloned websites, and fraudulent Ledger Live updates delivered credential harvesters.

Some extortion emails threatened home invasions, made credible by the attackers’ possession of victims’ addresses and confirmed wallet purchases.

Timeline showing Ledger’s three major security incidents from 2020 to 2026, highlighting that customer data was compromised while recovery seeds remained secure.

Related Reading

Home invasion stalked $4.3M crypto wallet: How a single data leak can put anyone’s safety at risk

Sheffield Crown Court sentenced a trio on Nov. 18, police say nearly the full haul was seized. We break down the "delivery driver" ruse, and how to harden your setup.

Nov 23, 2025
·
Gino Matos

A dataset that never stops giving

Personally identifiable information (PII) leaks in crypto have unusual durability.

The 2020 Ledger list didn’t age out. In 2021, criminals mailed physically tampered “replacement” devices to addresses from the dump. The shrink-wrapped packages with fake letterhead instructed victims to enter recovery phrases on modified hardware designed to exfiltrate seeds.

By December 2024, BleepingComputer documented a new phishing campaign using “Security Alert: Data Breach May Expose Your Recovery Phrase” subject lines.

Additionally, MetaMask’s 2025 threat report noted that physical letters were sent by postal mail to 2020 victims, on fake Ledger stationery, directing them to fraudulent support lines.

The dataset became a permanent fixture, recycled across email, SMS, and traditional mail.

The Global-e breach hands attackers a new version of the same weapon. Ledger’s warning explicitly anticipates this: expect phishing leveraging the leak, verify all domains, ignore urgency cues, never share your 24-word phrase.

Infographic detailing what data was compromised in the breach versus what remained secure, with recommended user safety actions.

When phishing graduates to physical threats

The 2020 leak never compromised a Ledger device, but it normalized treating customer lists as inputs to serious crime. Bitdefender noted ransom emails using leaked addresses to threaten home invasions. Ledger took down 171 phishing sites in the first two months.

Reports document escalating physical robberies, home invasions, and kidnappings aimed at extracting private keys across France, the United States, the United Kingdom, and Canada.

Related Reading

Are you doxxed? Crypto holders are now primary targets for violent gangs using one specific data overlap to locate homes

Criminals are bypassing encryption by exploiting a single overlooked privacy gap that instantly exposes your home address.

Dec 4, 2025
·
Gino Matos

One French incident involved the January 2025 kidnapping of Ledger co-founder David Balland and his partner, during which attackers severed a finger while demanding ransom.

Previous Ledger leaks have prompted wrench attacks, with reports arguing that the surge in violent attacks on crypto executives correlates with breaches at Ledger, Kroll, and Coinbase that exposed the details of high-net-worth users.

Criminals stitch together leaked databases with public records to profile and locate targets.

TRM Labs confirms the mechanism: personal information gathered online, such as addresses and family details, has simplified profiling victims for home invasions, even when wallet technology remains uncompromised.

Law enforcement now treats crypto-specific PII leaks as ingredients in violent extortion.

How to deal with an ecosystem problem

Ledger isn’t alone. When Kroll was breached in August 2023, the data of FTX, BlockFi, and Genesis creditors was accessed.

Lawsuits allege the mishandling led to daily phishing emails spoofing claims portals.

The pattern is consistent: third-party vendors hold “non-sensitive” data that becomes sensitive when tied to crypto asset ownership. A shipping address is metadata until attached to a hardware wallet order.

The commerce layer, consisting of merchant platforms, CRMs, and shipping integrations, creates maps of who owns what and where to find them.

Ledger’s advice is sound: verify domains, ignore urgency, never share your seed. Yet, security researchers suggest expanding this.

Users with high-value holdings should consider enabling the optional passphrase feature, a 25th word that exists only in memory. Additionally, users should rotate their contact information periodically, use unique email addresses for wallet purchases, and monitor for SIM-swap attempts.

Address exposure carries offline risk. Delivery minimization, such as mail forwarding, business addresses, and pickup locations, reduces the surface for physical coercion. Wrench attacks remain statistically rare but represent a real and growing threat.

The Global-e incident raises unanswered questions: How many customers were affected? What specific fields were accessed? Were other Global-e clients compromised? What logs track the intruder’s movement?

The crypto industry needs to rethink the risks of its commerce infrastructure. If self-custody removes trusted third parties from asset control, handing customer data to e-commerce platforms and payment processors creates exploitable maps of targets.

The hardware wallet might be a fortress, but business operations create persistent vulnerabilities.

The Global-e breach won’t hack a single Ledger device. It doesn’t need to. It gave attackers a fresh list of names, addresses, and proof-of-purchase, which is everything required to launch phishing campaigns that will run for years and, in rare cases, enable crimes that don’t require bypassing encryption.

The real vulnerability isn’t the secure element. It’s the paper trail leading to users’ doors.

The post New Ledger breach didn’t steal your crypto, but it exposed info that leads violent criminals to your door appeared first on CryptoSlate.