Big Security Company, Ledger, Gets Hacked: Loses Hundreds of Thousands in Crypto, Affects DeFi Protocols

Paris-based cryptocurrency wallet manufacturer Ledger has fallen victim to a significant hack compromising its widely-used Connect Kit JavaScript library. The breach resulted in the theft of hundreds of thousands of pounds in cryptocurrencies from users’ wallets in the early hours of Thursday.

Ledger attributed the exploit to a phishing attack targeting a former employee, who unexpectedly became the entry point for the hacker. The hacker planted a harmful file in the company’s NPM registry, rerouting user funds in transactions with compromised dApps.

“The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7).”

Ledger’s CEO, Pascal Gauthier, stated

The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.

Active for only five hours, the affected file allowed the attacker to seize a significant amount of crypto tokens. The impact extended beyond Ledger, affecting other decentralized finance (DeFi) protocols, including SushiSwap, Kyber, Revoke.cash, and Zapper.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

Kyber and Revoke.cash immediately acted, deactivating their respective front ends to prevent further exploitation. Ledger later deactivated the malicious code, ensuring the safety of their Connect Kit version 1.1.8. Users were advised to promptly update their applications and wait 24 hours before use.

Revoke.cash Reports $850,000 Loss: Vulnerabilities in Ledger’s Distribution Method

Revoke.cash reported losses of approximately $850,000 due to the incident. Revoke.cash’s engineer exposed flaws in Ledger’s Connect Kit distribution via CDN, stressing the need to “pin” versions for security.

Crypto security startup Blockaid estimated that between 500 to 1,000 wallets fell victim to the attack. Despite Ledger’s prompt update, caution is urged when using dApps, as not all platforms may have installed the necessary upgrade.

“This is affecting anyone with a wallet that is connecting to a dApp that includes this piece of code,”

Raz Niv, co-founder and CTO of Blockaid

This incident follows Ledger’s history of security issues, including a major customer database leak in 2020 and controversies over the security of its hardware revealed through a software update last year.

As the DeFi landscape faces another setback, industry players are reminded of the constant need for vigilance and security enhancements in the rapidly growing crypto space.