Fake Browser-Update Pop-ups Delivering Ledger Malware
Compromised or malicious websites display fake 'Ledger Live requires a browser update' pop-ups that prompt users to download a malicious executable. The malware targets Ledger Live configuration files, recovery-phrase data, and browser-stored passwords.
Part of: Fake Browser Update Malware Popups
Last reviewed: 8 June 2026
Ledger Live is the desktop and mobile application used to manage Ledger hardware wallets. Because Ledger Live handles sensitive wallet operations — viewing balances, signing transactions, and occasionally prompting users to enter recovery phrases for device resets — it is a high-value target for malware authors who create convincing fakes.
A common delivery mechanism is the fake browser-update pop-up: a banner or overlay appearing on a legitimate-looking website claims that Ledger Live requires a browser update, a security patch, or a compatibility fix to continue working. The download button serves a malicious installer disguised as the genuine Ledger Live application.
Once installed, the malware presents a fake Ledger Live interface and may prompt the user to 'restore' their wallet by entering their 24-word recovery phrase. If entered, the phrase is immediately transmitted to the attacker, giving them complete control over the hardware wallet's funds from any device.
How this scam works on the Ledger brand
The real Ledger Live application is distributed exclusively through ledger.com/ledger-live. Ledger will never deliver updates through browser pop-ups on third-party websites or ask you to enter your recovery phrase into any software application — under any circumstances.
Fake-update pop-ups typically appear on cryptocurrency news sites, NFT marketplaces, or DeFi protocol pages that have been compromised by malicious JavaScript injections. The pop-up mimics Chrome's or Firefox's update interface but includes Ledger branding. The downloaded executable may be signed with a stolen or fraudulent certificate to avoid initial antivirus detection.
After installation, the malware's most dangerous move is a fake 'wallet migration' or 'security audit' screen that asks for the 24-word recovery phrase. Entering even a partial phrase on any software other than the physical Ledger device itself is a critical security breach.
Common red flags
- A pop-up on any third-party website claims Ledger Live requires a browser or application update
- You are prompted to download a Ledger Live update from a URL that is not ledger.com
- The downloaded installer is named differently from the official Ledger Live installer
- After installation, the app asks you to enter your 24-word recovery phrase — the real Ledger Live never asks for this
- The pop-up uses urgent language: 'Your Ledger device is incompatible with your current browser — update now to avoid losing access'
- The application you downloaded does not match the file size or interface of the genuine Ledger Live
How to protect yourself
- Download Ledger Live only from ledger.com/ledger-live — bookmark this and never use a pop-up link
- Never enter your 24-word recovery phrase into any software application — only enter it on the physical Ledger device itself
- Verify Ledger Live installer authenticity using the official hash checker provided on ledger.com
- Keep your operating system and browser updated through official OS channels, not pop-up prompts
- Use a dedicated clean device for Ledger operations if you manage significant funds
- Report suspicious pop-ups to the website owner and to Ledger's security team
How to report it
- Report the malicious URL and fake installer to Ledger's security team at [email protected]
- Submit the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
- Report to IC3.gov (US) or Action Fraud 0300 123 2040 (UK)
- File a report with the FTC at reportfraud.ftc.gov
- Report the malware sample to your antivirus vendor
Frequently asked questions
Will Ledger ever prompt me to enter my recovery phrase in Ledger Live software?
No. Your 24-word recovery phrase should only ever be entered on the physical Ledger hardware device itself — never into any computer application, website, or browser extension. Any software requesting it is fraudulent.
How can I verify I am running genuine Ledger Live?
Ledger provides official checksums for every Ledger Live release on their GitHub releases page. You can verify the downloaded file's hash matches before running it. Instructions are at ledger.com/ledger-live.
What do I do if I already entered my seed phrase into fake software?
Immediately move all funds from every wallet derived from that seed phrase to a new wallet with a new seed phrase. The old seed phrase must be treated as permanently compromised. This is one of the most irreversible security mistakes possible in crypto.