Binance’s CZ receives a security warning, Ledger’s Discord admin account hacked

Former Binance CEO Changpeng Zhao (CZ) shared a security message on social media platform X on Monday, alerting the public about a coordinated phishing attack that compromised Ledger Discord admin account. The attackers used the hacked account to falsely warn users of a vulnerability in Ledger’s systems, luring them to a malicious website designed to steal sensitive wallet information.

“Just got this security warning. Ledger’s Discord admin account was hacked,” Zhao posted, attaching a screenshot of the phishing message. 

Just got this security warning.

Ledger's Discord admin account was hacked. The scammer falsely claimed a security flaw and urged users to enter their recovery phrases on a phishing site.

Lessons:
1. Never give up your private key recovery phrases no matter who is doing the…

— CZ 🔶 BNB (@cz_binance) May 12, 2025

The fraudulent post claimed that the newly discovered vulnerability had compromised user data, and advised users to verify their seed phrases through a link disguised to look like an official fakeverify-ledger.appchanged, but was in fact a phishing trap. 

Users were told they would be offered compensation if their phrases were found to be compromised. Zhao told his followers: “Never give up your private key recovery phrases no matter who is doing the asking. Social network accounts for a crypto company are often the weakest links.”

Ledger has contained the damage

As reported by Cryptopolitan earlier today, the hardware wallet provider confirmed that a moderator’s account on its Discord server was compromised but is now back in the firm’s control. The attacker had replicated the style and tone of a legitimate Ledger message, even listing steps to “secure” user wallets. 

Ledger’s internal team responded by disabling the affected moderator’s account, removing the malicious bot, and conducting a full audit of server permissions. They also flagged the phishing website in question to stop users who were still unaware from accessing it.

Back in March, Ledger’s internal security unit, Donjon, revealed a vulnerability in competing wallet provider Trezor’s Safe series. According to Donjon, the issue stems from the microcontroller used in Trezor’s devices, which remains susceptible to physical attacks.

State of phishing websites: Punycode attacks

On Sunday, a separate incident reported by blockchain security firm SlowMist saw a crypto user lose more than $20,000 due to a phishing scam involving a fake version of the ChangeNOW exchange. The incident occurred while the victim used Google Chrome to access what they believed was the real site.

The fake domain employed a tactic known as a Punycode attack, where malicious actors register domains that appear identical to legitimate ones by swapping letters with similar-looking characters from different alphabets. In this case, a Cyrillic ‘е’ replaced a Latin ‘e’, creating a site that was visually indistinguishable from the original ChangeNOW platform.

Victims, upon visiting such domains, may be coaxed into entering login credentials, downloading malware, or, in crypto-related scams, providing wallet seed phrases. Once this data is acquired, attackers gain complete control over user funds.

In 2017, PayPal users were targeted via a fake Punycode domain that impersonated the official site, stealing user credentials and siphoning funds. The hackers sent several emails to users, with one claiming that Bitcoin had been sent to their accounts from an exchange, as seen in a post on the subreddit r/CryptoCurrency.

“This email actually originated from PayPal. It passed through PayPal’s mail transfer agent (MTA) systems and, as such, was allowed in by Google’s MTA systems. Not good,” said the PayPal account holder who discovered the scam.

Between 2016 and 2018, Punycode domains were cited in a 25% increase in phishing incidents, according to a cybersecurity study. Most users are unaware of Punycode encoding and cannot easily detect these fake URLs, especially when the rest of the webpage is awfully similar to the official one in design and language.

Cryptopolitan Academy: Want to grow your money in 2025? Learn how to do it with DeFi in our upcoming webclass. Save Your Spot