- Ledger wallet users have allegedly lost $600,000 after hackers exploited the Ledger Connect Kit protocol
- Hackers conducted a phishing attack on a Ledger employee to gain access
- This incident adds to a series of recent scandals, casting doubt on the security of Ledger’s offerings.
Some $600,000 is thought to have been stolen from Ledger wallet users after hackers compromised the code behind its Ledger Connect Kit protocol. The protocol is used by multiple web3 applications and services, and its infiltration meant that hackers were able to steal funds from anyone who interacted with it through their Ledger device. The breach is the latest in a series of scandals that has rocked the company in recent years and calls into question again the safety of their products.
Phishing Attack Let to Breach
Ledger announced on X that someone had pushed out a “malicious version” of Ledger Connect Kit, a library that decentralized apps (dApps) made by other companies and projects use to connect to the Ledger wallet service:
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would “provide a comprehensive report as soon as it’s ready.”
After this story was published, Ledger spokesperson Phillip Costigan shared more details about the hack on X, saying that a former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.
Ledger deployed a fix within 40 minutes of the company becoming aware of the hack, but not before some $600,000 worth of cryptocurrency could be taken. The malicious file, however, was live for around five hours.
Ledger Hiding Replies Again
Ledger CEO Pascal Gauthier used a blog post to give more detail on the hack, calling it an “unfortunate isolated incident,” and said that Ledger will “implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.” He also said the company understand “the panic this caused for the community and broader ecosystem.”
Indeed, it is widely believed that the news caused a $3,000+ drop in the price of bitcoin, while Ledger was accused, once again, of hiding replies on X to try and mitigate the spread of the news. This was last seen following a massive data breach that took place in stages in 2020, when a total of 292,000 customers’ names, home and email addresses, and phone numbers were stolen.