An investigation by Rekt Builder has raised concerns about the extent of data collection by Ledger Live, the official software for managing Ledger hardware wallets. The developer claims that Ledger Live tracks every move users make, including the apps they install and the crypto they hold.

Ledger Live Covertly Tracking User Transaction Activities?

Taking to X on December 27, Rekt Builder claims that Ledger Live embeds the genuine check into the app’s listing procedure. As such, it means that whenever you plug in your Ledger device and open Ledger Live, the software checks whether the device is genuine and sends this information to Ledger’s servers. This data includes the device’s serial number, firmware version, and the list of apps installed.

Rekt Builder also notes that Ledger Live tracks the crypto balances stored on the device. However, what’s concerning is that all this data is sent to Ledger’s servers. Accordingly, it means Ledger can access a detailed record of its clients’ crypto holdings. 

To determine whether Ledger was trailing user activity, the developer attempted to turn off the remote tracking feature in Ledger Live, but this was impossible. Any attempt to disable tracking resulted in the software breaking. This suggests that Ledger had intentionally designed Ledger Live to track user activity.

Rekt Builder’s findings raise serious concerns about the privacy of Ledger hardware wallet users. If Ledger is tracking each move users make, then it is possible that this data could be used to identify users and track their crypto transactions. This can be dangerous because a hack into any of Ledger’s centralized servers can mean malicious agents can control critical data, which can then be used to target individuals with large holdings of Bitcoin and other coins. 

Ledger Remains A Subject Of Security And Privacy Discussion

By the time of writing, Ledger has not yet responded to Rekt Builder’s allegations. This is not the first time Ledger has been blamed for privacy violations. In 2022, Ledger was accused of collecting data on users’ activity, including the websites they visited and the coins they traded. Ledger later apologized for this data collection and promised to improve its privacy practices. 

In July 2023, a security researcher identified a weakness in Ledger’s Node Package Manager (NPM) account. This flaw enabled an attacker to steal user data, including email addresses and purchase history. It is estimated that over 270,000 accounts were likely impacted.