Fake hardware-wallet firmware-update brand-spoof — "Critical Ledger Live / Trezor Suite firmware update — install before 2026 Pectra/EIP-7702 migration" from sender NOT on the hw-wallet canonical-allowlist (ledger.com, trezor.io, tangem.com, gridplus.io, keyst.one, shiftcrypto.ch, coinkite.com, foundationdevices.com, cypherock.com). Real wallet-vendor firmware updates ship through the vendor's signed app (Ledger Live / Trezor Suite) — never via inbound email link. Distinct from `hw-wallet-seed-phrase-reveal-phish` (R9 batch 1, direct SRP harvest) — this signal is specifically the firmware-update pretext, not seed-phrase harvest; the two can co-fire on a single email combining both pretexts. Ledger Connect Kit Dec 2023 ($600K loss) + Trezor T firmware downgrade attacks + Tangem NFC-cloning research (2024) proved the firmware-update vector. Source: Red-Team R9 multi-agent council S4 (hardware-wallet-firmware specialist).

Fake hardware-wallet firmware-update brand-spoof targeting hardware-wallet owners (Ledger, Trezor, Tangem, GridPlus, Keystone, BitBox, Coldcard, Foundation, Cypherock). The phish narrative arrives as: "A critical firmware update is available for your Ledger Nano X. Please install Ledger Live firmware patch within 24 hours to remain compatible with the 2026 EIP-7702 / Pectra account-abstraction migration. Click below to download," or "A critical security patch is available for your Trezor T device. Install the firmware update via Trezor Suite within 48 hours or your device will be locked from access." Ledger Connect Kit compromise (Dec 2023, $600K total loss) + Trezor T firmware downgrade attacks + Tangem NFC-cloning research (2024) + Ledger Recover backlash (May 2023) all proved the firmware-update vector, lending the brand-spoof immediate credibility. Real wallet-vendor firmware updates ship through the vendor's signed app (Ledger Live / Trezor Suite / Keystone Companion / BitBoxApp / Specter / Sparrow) which performs a manufacturer-signed verification before flash, never via inbound email link to download a `.dfu` / `.elf` / `.bin` blob. Sender NOT on the hw-wallet canonical-allowlist (ledger.com, trezor.io, tangem.com, gridplus.io, keyst.one, shiftcrypto.ch, coinkite.com, foundationdevices.com, cypherock.com). Distinct from `hw-wallet-seed-phrase-reveal-phish` (R9 batch 1, direct SRP harvest) — this signal is specifically the firmware-update pretext, not seed-phrase harvest; the two can co-fire on a single email combining both pretexts. The 2026 EIP-7702 / Pectra account-abstraction migration narrative + Solana Firedancer mainnet + Bitcoin Taproot Assets all drove fresh firmware-bump pretexts. Fires when body references Ledger (Live/Nano/Stax) / Trezor (Suite/Safe/Model T/3) / Tangem / GridPlus / Keystone / BitBox / Coldcard / Foundation Passport / Cypherock / hardware wallet AND firmware update/patch/upgrade/version / critical update-patch-firmware / security patch-update-firmware AND install / update / upgrade / download / deploy / within N hours-days / 24 hours / 48 hours / immediately / urgent / action required / locked / disabled / incompatible urgency. Excludes the canonical hw-wallet vendor domains. Auto-classified as danger via the `-lure` suffix. Source: Red-Team R9 multi-agent council S4 (hardware-wallet-firmware specialist).