Software developer and privacy advocate REKTBuilder has raised concerns within the crypto community through a post on X, claiming that Ledger Live software is tracking users and collecting data. According to the developer, who examined the Python code of Ledger Live, the software performs an original device check every time a user connects their Ledger device to a computer or phone.
REKTBuilder suggests that this check lists all applications installed on the device, allowing Ledger to determine which networks the wallet owner is using. The developer, known for contributions to crypto forums and research on X, published a report on December 6th alleging that Ledger Live records users’ crypto assets. The following day, REKTBuilder announced an open-source alternative to Ledger Live, named Lecce Libre, which purportedly does not include trackers.
REKTBuilder now claims to have discovered a more significant privacy issue with Ledger Live. On December 27th, they shared findings of multiple code lines containing real control statements. When tracking traces were added to this code, the software appeared to be inactive while supposedly checking the device.
Further investigation by REKTBuilder revealed that the actual control is embedded within a ‘listApps’ subroutine. The developer suggests that this control could be used by Ledger to log the exact time and date every time a user connects their device.
Attempting to remove the code resulted in breaking the software, rendering it unusable, which implies that it’s impossible to create a truly tracker-free version of Ledger Live. REKTBuilder stated, “I tried to disable remote monitoring, and it’s impossible; if you do, it breaks. This means Ledger knows it’s you every time you plug in the device.”
Ledger, known as a popular crypto hardware wallet producer, claims to have over 6 million users of its products. In March, Ledger announced raising $109 million in capital to expand its operations, and in October, it released an optional cloud-based recovery tool for users afraid of losing their private keys.