Hardware wallet supply-chain tamper → pre-seeded seed

§ Context

Assumed environment: victim buys a hardware wallet from a non-vendor channel (used market, marketplace seller, gifting). Doesn't verify the device by setting a fresh seed.

§ Steps

1. 01
   Sweep funds at attacker's choosingExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Victim deposits funds to known seedInitial Access

   T1078— Valid Accounts
3. 03
   Sell via marketplace / used channelInitial Access

   T1195— Supply Chain Compromise
4. 04
   Acquire / counterfeit hardware walletsResource Development

   T1583— Acquire Infrastructure
5. 05
   Pre-load known seed phrase / backdoored firmwareInitial Access

   WLT-HW-SUPPLY— Hardware Wallet Supply-Chain Tamper

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts
• T1195Supply Chain Compromise
• T1583Acquire Infrastructure

§ Frequently asked

What is the "Hardware wallet supply-chain tamper → pre-seeded seed" attack path?

Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Sweep funds at attacker's choosing (T1041) — a exfiltration primitive. Assumed environment: victim buys a hardware wallet from a non-vendor channel (used market, marketplace seller, gifting).

What is the final impact of this kill-chain?

The final step lands on Pre-load known seed phrase / backdoored firmware (WLT-HW-SUPPLY), which falls under Initial Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.

• Shared techniques2

  Vesting beneficiary replace → silently drain stream

  Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.

• Shared techniques2

  Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)

  Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Insider admin panel coercion → mass account takeover (Twitter 2020)

  Identify employees with access to an internal admin panel. SE / coerce one to use the panel to change target accounts' email + 2FA, then take them over.

• Shared techniques2

  Build-system implant → signed supply-chain backdoor (SolarWinds-class)

  Compromise the target vendor's build server. A small implant rewrites a single source file at compile time — every official signed release downstream now ships the backdoor.