Ledger Crypto Wallet Users Compromised in Supply Chain Attack
Ledger, known for its prominent crypto hardware and software wallet, alongside various other products, disclosed via X (formerly known as Twitter) the discovery of a “malicious version” infiltrating its Ledger Connect Kit. This kit, a library facilitating connectivity between decentralized apps (dApps) developed by different entities and the Ledger wallet service, was compromised.
“A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,” Ledger wrote.
Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would “provide a comprehensive report as soon as it’s ready.”
After this story was published, Ledger spokesperson Phillip Costigan shared more details about the hack with TechCrunch and on X. Costigan said that a former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.
“The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,” Costigan said.
Then, Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for round 5 hours, but “the window where funds were drained was limited to a period of less than two hours,” according to Costigan.
Ledger also “coordinated” with WalletConnect which “quickly disabled the the rogue project,” essentially stopping the attack, according to Costigan.
Costigan also said Ledger pushed out a genuine software update that is “safe to use.”
“We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time,” the spokeperson said, adding that the company believes it has identified the hackers’ wallet.
The company says it has sold six million units of its hardware wallet, and Ledger Live, its software equivalent, is used by 1.5 million users. The Ledger hardware wallet is not believed to be affected by the hack.
Tal Be’ery, the co-founder of crypto wallet Zengo, told TechCrunch that the hackers essentially pushed out a malicious version of the software that was designed to trick users into connecting their wallets and assets to the malicious version of the software.
That would allow the hackers to drain the crypto inside users’ wallets — so long as the users accepted the push to connect their wallets to the malicious Ledger version.
It’s not immediately clear how many people fell victim to the hack. ZachXBT, a well-known independent crypto researcher, wrote on X that the hackers stole more than $600,000 in crypto during the attack.
A chorus of caution echoed across social media platforms as numerous blockchain security researchers and individuals active within the web3 sector raised alarm bells regarding the supply chain breach targeting Ledger.
Matthew Lilley, the Chief Technology Officer at the cryptocurrency trading platform Sushi, stood among the initial individuals to detect the attack and promptly disseminate the alarming news.
“Perhaps it’s best to steer clear of any [decentralized app] and simply carry on with life,” quipped Joseph Delong, the CTO of NFT lending platform AstariaXYZ, humorously addressing the use of the notoriously vulnerable programming language JavaScript within Ledger’s infrastructure.
UPDATE, December 14, 11:28 a.m. ET: This story underwent revisions to encompass further insights into the attack, shared by the company’s spokesperson.
Correction: A prior version of this article incorrectly attributed ZachXBT with identifying a victim who had lost $600,000 in crypto due to the breach. In reality, ZachXBT had uncovered the hackers’ wallet, accumulating $600,000 in stolen cryptocurrency.