Ice Phishing EIP-712 Signature Scams Impersonating Ledger
Fake 'Ledger Connect Kit' pages and counterfeit dApps display EIP-712 signature requests styled to look like Ledger hardware wallet confirmations, tricking users into approving malicious token permissions.
Part of: Ice Phishing and EIP-712 Signature Scams
Last reviewed: 8 June 2026
The Ledger Connect Kit allows hardware wallet users to sign transactions and messages for Web3 applications directly through their Ledger device. Following high-profile incidents in the Web3 ecosystem involving compromised connection libraries, many Ledger users are aware that signing requests may appear in their browser — creating an opening for scammers.
Criminals build fake 'Ledger dApp Browser' or 'Ledger Connect' pages that present an EIP-712 structured-data signing request alongside Ledger's branding. The page implies the request is coming from the hardware device itself or from a verified Ledger integration. Users who do not carefully inspect the contract address and permission values in the signature may approve sweeping token allowances.
Genuine Ledger Connect Kit interactions always originate from the Ledger Live application or a known dApp you have deliberately connected. Ledger never sends emails or messages directing users to sign a message on a standalone web page for a 'security check' or 'wallet re-registration.'
How this scam works on the Ledger brand
The attack begins with a phishing email or a social media post warning that Ledger's Connect Kit has been 'updated' and requires users to re-authorize their existing dApp connections. A button links to a site using Ledger's visual identity: black background, white Ledger logo, a hardware-device icon in the corner.
The page presents a standard WalletConnect-style QR code or a direct MetaMask prompt alongside a note reading 'Your Ledger device will prompt for confirmation.' This false reassurance leads users to expect a legitimate on-device confirmation. The EIP-712 message that appears in MetaMask or another software wallet contains token-spend approvals; the Ledger hardware device itself is not involved in the flow.
After the victim signs, the attacker submits the permit signature to affected contracts. Because Ledger branding surrounded the request, the victim may not recognize the problem until their assets are gone. Ledger's genuine security advisories are published at ledger.com/blog/security and only direct users to the official Ledger Live application.
Common red flags
- Email or post claims a 'Ledger Connect Kit update' requires re-signing existing dApp permissions
- The signing page URL is not ledger.com — fake domains use terms like ledger-connect-update.com
- EIP-712 message shows unfamiliar spender addresses or maximum token approval values
- The page claims your Ledger hardware device will confirm the transaction, but no actual Ledger device prompt appears
- You were directed here by a message rather than from within the Ledger Live application
- Prompt arrives shortly after a real Web3 news event involving Ledger or Connect Kit, exploiting heightened user anxiety
How to protect yourself
- Keep Ledger Live updated through official channels (ledger.com/ledger-live) to receive genuine security notices
- Read every EIP-712 signature request in full, particularly the contract address and token amounts, regardless of surrounding branding
- Verify that your Ledger device's screen shows the same destination and amount as your browser before confirming any transaction
- Use simulation browser extensions such as Pocket Universe to preview the outcome of any signature before approving
- Revoke token approvals periodically using revoke.cash to limit exposure from any approvals you may have granted
How to report it
- Report suspected phishing to Ledger at [email protected]
- Submit the phishing domain to MetaMask's phishing list (github.com/MetaMask/eth-phishing-detect) and Google Safe Browsing
- File a complaint with IC3.gov (US) or Action Fraud (UK)
- Alert the Ledger community at reddit.com/r/ledgerwallet to help warn others
Frequently asked questions
What is Ledger Connect Kit and why is it relevant to scams?
Ledger Connect Kit is a JavaScript library used by Web3 dApps to integrate Ledger hardware wallet signing. Because it is a trusted piece of infrastructure, scammers exploit its name to add legitimacy to fake 'update' or 're-authorization' phishing campaigns.
Should my Ledger device show a confirmation for every EIP-712 signature?
Yes, if your Ledger is genuinely connected through Ledger Live to a dApp, it will display the relevant data on the device screen. If no Ledger screen prompt appears for a supposed Ledger-authenticated transaction, the Ledger device is not involved and you should reject the request.