Cryptocurrency wallet maker Ledger hacked, hundreds of thousands stolen

Ledger attributed the exploit to a phishing attack targeting a former employee

Cryptocurrency wallet maker Ledger falls victim to major hack, hundreds of thousands stolen

Image:
Cryptocurrency wallet maker Ledger falls victim to major hack, hundreds of thousands stolen

Ledger, a leading cryptocurrency wallet manufacturer based in Paris, has fallen victim to a high-profile hack.

The breach involved the compromise of Ledger's widely-used Connect Kit JavaScript library, resulting in the theft of hundreds of thousands of pounds in cryptocurrencies from users' wallets in the early hours of Thursday.

Ledger attributed the exploit to a phishing attack targeting a former employee, who inadvertently became the entry point for the hacker.

The attacker then uploaded a malicious file to the company's NPM registry account, redirecting user funds to their own wallet during transactions with decentralised applications (dApps) relying on the compromised software.

"The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7)," Pascal Gauthier, Ledger's CEO, said.

"The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet."

Although the compromised file was active for only five hours, during which two hours it was actively draining funds, the attacker managed to abscond with a substantial amount of crypto tokens.

The impact of the vulnerability extended beyond Ledger, affecting other protocols in the decentralised finance (DeFi) space. Impacted DeFi protocols include SushiSwap, Kyber, Revoke.cash and Zapper.

Kyber and Revoke.cash took immediate action, deactivating their respective front ends to prevent further exploitation.

Ledger later said that the malicious code had been deactivated, and that the authentic version, Ledger Connect Kit version 1.1.8, is now safe for use. It advised users to promptly update their applications.

As an added precaution, users were recommended to wait for 24 hours before attempting to use the software again.

"We are filing a complaint and working with law enforcement on the investigation to find the attacker," Ledger said, expressing its commitment to pursuing legal action.

Revoke.cash reported losses totalling approximately $850,000 as a result of the incident.

Rosco Kalis, a software engineer for Revoke.cash, pointed out vulnerabilities in Ledger's distribution method for Connect Kit, distributed through a content delivery network (CDN), preventing developers from pinning the library to specific versions.

Kalis stressed the importance of "pinning" versions to protect against supply chain attacks.

Crypto security startup Blockaid, which raised alarms about the breach, estimates that between 500 to 1,000 wallets fell victim to the attack.

"This is affecting anyone with a wallet that is connecting to a dApp that includes this piece of code," Raz Niv, co-founder and CTO of Blockaid, said.

Despite Ledger's prompt update to remove the compromised code, Niv urged crypto users to exercise caution when accessing dApps, as not all platforms may have incorporated the necessary upgrade.

This exploit follows Ledger's troubled history with security issues, including a major customer database leak in 2020 and controversies over the security of its hardware revealed through a software update last year.

As the DeFi landscape grapples with yet another setback, industry stakeholders are reminded of the constant need for vigilance and security enhancements in the rapidly evolving crypto space.