Ledger wallets are arguably one of the most popular hardware wallets/signing devices on the market; the brand recognition and trust it has built over the years with its Nano range of devices is admirable. Their brand of physical devices designed to store and manage your Bitcoin has helped drive home the idea of self-custody.
Self-custody is a must for anyone who plans to hold serious amounts of wealth in Bitcoin or has seen their wealth increase over the years, rendering their current security measures less than ideal. Software wallets are great for those getting started, getting to grips with managing private keys, generating addresses and signing transactions.
But it becomes a concern when you start to hold several Bitcoin (tens of thousands or even hundreds of thousands of dollars) on a mobile device or desktop computer with a connection to the internet.
It’s important to distance your keys and key management. Hardware wallets make this easy to do since, unlike software wallets that store your private keys (the secure codes that grant access to your funds) on your computer or phone, hardware wallets keep them offline, making them significantly less vulnerable to hacking and theft.
With Ledger being at the forefront of self-custody supporting devices, they’ve built up a large user base that holds hundreds of not thousands of Bitcoin collectively, meaning controversies surrounding the company will be met with alarm, and rightly so.
The Ledger leaks
Ledger wallet users who purchased their device directly from Ledger woke up to the news that they had been doxxed. The hacker likely responsible for Ledger’s security breach in July 2020 dumped a large amount of data exposing the personal information of over 270,000 customers, including phone numbers and physical addresses.
The leak also included 1 million emails from users who had signed up for the company’s newsletter service. Ledger wallet users on the list to this day face the genuine threat that they could be targeted for home invasion and other scareware threats.
The Ledger Recover riots
In 2023, Ledger kicked off an absolute Twitter storm with its decision to launch Ledger Recover, a paid-for KYC service, which would create a copy of your private keys, encrypt it and divide it into three pieces held with three different parties.
Many users who purchased Ledger wallets felt it was sold to them under false pretences when they discovered software could be created to access their private keys. As a result, many users began to dump their wallets and migrate to other devices.
While this decision did alienate a portion of the market, especially those focusing on privacy and secure self-custody, Ledger felt the growth from the casual crypto user would be enough to offset the loss of users.
The Ledger Live alarm bells
Ledger Live, the companion app for popular hardware wallets like the Ledger Nano S and X, boasts an impressive user interface and streamlined functionality. Ledger Live is built to manage your funds and provides a sleek UI that can be installed on both desktop and mobile devices.
However, beneath the sleek surface lurks a growing concern among privacy-conscious Bitcoin users: the potential for data collection and compromised anonymity.
Things began to quiet down on the Ledger front following those two incidents. Still, the animosity for the company and its range of products flared up once again this week following a Twitter post reviewing the amount of tracking scripts found in Ledger Live.
1. IP address tracking
Ledger Live collects and stores users’ IP addresses for up to five years, raising concerns about potential identification and tracking. This information, combined with transaction data, could theoretically be used to profile user behaviour and potentially link them to specific transactions.
2. Lack of coin control
Ledger Live does not provide the ability to pick the UTXOs you wish to spend. Instead, the software automatically selects funds for transactions, often choosing those with the largest balance. This can expose users’ holdings and transaction patterns, making them vulnerable to targeted attacks or financial analysis.
3. Data sharing with third-party services
While Ledger claims minimal data sharing, concerns linger about potential partner integrations and future changes to their privacy policy. Users have limited control over what data is shared and how it’s used.
4. Limited transparency
Ledger’s documentation and information about data collection and usage practices are often vague and lack specific details on who holds the data, who has access to that data and how that data is used. This lack of transparency makes it difficult for users to make informed decisions about their privacy and security.
5. Closed yet open source
Ledger’s firmware is closed source, meaning the software that runs the device can only be reviewed by developers from the company itself, leaving a lack of transparency to flaws and possible backdoors. While the Ledger Live source code is open-source, the lack of transparency of the full stack makes it difficult for security experts to verify the app’s functionality and identify potential vulnerabilities independently.
What are my options if not Legder live?
Suppose you’re uncomfortable using the Ledger Live app due to privacy concerns or prefer a different experience; you do not need to dump your signing device. Instead, you can interact with your device using third-party open-source software, with many wallets fully compatible with Ledger’s range of devices.
| Wallet | Website |
|---|---|
| Electrum wallet | electrum.org |
| Green wallet | blockstream.com/green |
| Ledger Libre | GitHub – Ledger Libre |
| Sparrow wallet | sparrowwallet.com |
| Specter wallet | specter.solutions |
| Samurai wallet | samouraiwallet.com |
| Wasabi wallet | wasabiwallet.io |
- Green wallet: Developed by Blockstream, a leading Bitcoin infrastructure, their software allows you to connect your own node, use different hardware wallets, and support the Liquid Network and the Lightning Network.
- Electrum: A well-established open-source wallet with strong security and privacy features. It allows you to run your own nodes for further control over your transactions and data.
- Sparrow wallet: This open-source wallet specifically supports Ledger devices and offers advanced features like transaction privacy and coin control, giving you greater anonymity and control over your funds.
- Specter wallet: An open-source wallet focusing on advanced features and customisation is ideal for running multi-sig setups. It can be run with your full node but has a steep learning curve.
- Wasabi wallet: This Bitcoin-focused wallet prioritizes privacy by obfuscating transaction origins and amounts, making it difficult to track your activity.
- Samourai wallet: Another Bitcoin-centric option with features like coin mixing and transaction batching to anonymize your transactions and enhance your privacy.
Ledger Libre
If you still feel comfortable with Ledger Live and prefer the UX but want to avoid all the current tracking scripts, you can download an open-source version with all the tracking scripts removed; this version is called Ledger Libre.
Beware of imitation software
When downloading software to manage your funds and interact with your signing device, it’s essential to check the source of the software and ensure you’re downloading a copy from a reputable source. An issue became glaringly obvious recently when Microsoft had to remove a fraudulent Ledger Live app after multiple users lost at least $768,000 worth of cryptocurrency assets.
The fake app published under the name Ledger Live Web3 went live on the app store on the 19th of October and was removed this week after complaints of theft began to surface.
This is not the first time a fake wallet has pinched user funds; in 2020, a phoney version of Electrum wallet started making the rounds, netting criminals $22 million in user funds.
Do you take self-custody of your stack?
If you’re new to Bitcoin and have not ventured down the self-custody rabbit hole, what is stopping you? If you’re already self-sovereign, how has the experience been since you took hold of your funds? Let us know in the comments down below.
We’re always keen to hear from bitcoiners from around the world.
