Hackers have successfully compromised the code underpinning a crypto protocol utilized by numerous web3 applications and services, according to an announcement from Ledger, a prominent company known for its widely used crypto hardware and software wallet. The security breach involves the malicious manipulation of Ledger’s Ledger Connect Kit, a critical library facilitating the connection between decentralized apps (dApps) created by various companies and projects and Ledger’s wallet service.
The company took to X (previously Twitter) to caution users, revealing that an unauthorized party had disseminated a “malicious version” of the Ledger Connect Kit. Urging caution, Ledger informed users not to interact with any dApps temporarily and assured them that a legitimate version was in the process of replacing the malicious file. The company committed to keeping users informed as the situation unfolded.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Subsequently, Ledger provided an update disclosing that the hackers had substituted the authentic software version approximately six hours prior. The company initiated an investigation into the incident and pledged to furnish a comprehensive report once it was prepared. Further details emerged from Ledger spokesperson Phillip Costigan, who clarified that a former Ledger employee had fallen victim to a phishing attack, granting the hackers access to the employee’s NPMJS account—a software registry acquired by GitHub.
Exploiting this access, the hackers published a malicious iteration of the Ledger Connect Kit, incorporating a rogue WalletConnect project to reroute funds to a designated hacker wallet. Despite deploying a fix within 40 minutes of detecting the breach, the malicious file remained active for about five hours. Notably, the timeframe during which funds were drained was confined to less than two hours.
In collaboration with WalletConnect, Ledger took swift action to disable the rogue project, effectively putting an end to the attack. Ledger also proactively released a genuine software update deemed “safe to use.” Costigan assured affected customers that the company was actively engaged in dialogue with them, identifying and assisting those whose funds may have been compromised. Furthermore, Ledger claimed to have identified the wallet associated with the hackers.
Ledger, renowned for selling six million units of its hardware wallet and boasting 1.5 million users of Ledger Live, its software equivalent, affirmed that the hardware wallet itself remained unaffected by the breach.
Tal Be’ery, the co-founder of the crypto wallet Zengo, explained that the hackers deployed a malicious version of the software designed to deceive users into connecting their wallets and assets to the compromised Ledger version. This manipulation allowed the hackers to siphon crypto from users’ wallets, contingent on the users accepting the prompt to connect to the malicious Ledger version.
The extent of the breach’s impact is not immediately clear, though independent crypto researcher ZachXBT claimed on X that the hackers absconded with over $600,000 in crypto during the attack. Numerous blockchain security researchers and individuals within the web3 industry took to social media to caution users about the supply chain attack targeting Ledger. Matthew Lilley, Chief Technology Officer of the cryptocurrency trading platform Sushi, was among the first to detect the attack and disseminate the news.