Supply chain attack targeting Ledger crypto wallet leaves users hacked
Reading Time: 2 minutesHackers compromised the code behind a crypto protocol used by multiple web3 applications and services, the software maker Ledger said on Thursday.
Ledger, a company that makes a widely used and popular crypto hardware and software wallet, among other products, announced on X (previously Twitter) that someone had pushed out a ‘malicious version’ of its Ledger Connect Kit, a library that decentralized apps (dApps) made by other companies and projects use to connect to the Ledger wallet service.
‘A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,’ Ledger wrote.
Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would ‘provide a comprehensive report as soon as it’s ready.’
‘The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,’ Costigan said.
Then, Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for round 5 hours, but ‘the window where funds were drained was limited to a period of less than two hours,’ according to Costigan.
Ledger also ‘coordinated’ with WalletConnect which ‘quickly disabled the the rogue project,’ essentially stopping the attack, according to Costigan.
Costigan also said Ledger pushed out a genuine software update that is ‘safe to use.’
‘We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time,’ the spokeperson said, adding that the company believes it has identified the hackers’ wallet.
The company says it has sold six million units of its hardware wallet, and Ledger Live, its software equivalent, is used by 1.5 million users. The Ledger hardware wallet is not believed to be affected by the hack.
That would allow the hackers to drain the crypto inside users’ wallets — so long as the users accepted the push to connect their wallets to the malicious Ledger version.
It’s not immediately clear how many people fell victim to the hack. ZachXBT, a well-known independent crypto researcher, wrote on X that the hackers stole more than $600,000 in crypto during the attack.
Several blockchain security researchers, as well as people who work in the web3 industry, warned users on social media of the supply chain hack against Ledger.
Matthew Lilley, the chief technology officer of cryptocurrency trading platform Sushi, was one of the first ones to detect the attack and share the news.
‘I would recommend never interacting with a [decentralized app] ever again and honestly just move on with your life,’ said Joseph Delong, the CTO of NFT lending platform AstariaXYZ, joked on X, referring to the fact that Ledger uses the notoriously insecure programming language JavaScript.
UPDATE, December 14, 11:28 a.m. ET: This story was updated to include more details about the attack, provided by the company’s spokesperson.
Correction: A previous version of this article mistakenly said that ZachXBT had identified a victim who lost $600,000 in crypto due to the hack. In reality, ZachXBT had identified the hackers’ wallet, where they had amassed $600,000 in stolen crypto.
Ref: techcrunch
MediaDownloader.net -> Free Online Video Downloader, Download Any Video From YouTube, VK, Vimeo, Twitter, Twitch, Tumblr, Tiktok, Telegram, TED, Streamable, Soundcloud, Snapchat, Share, Rumble, Reddit, PuhuTV, Pinterest, Periscope, Ok.ru, MxTakatak, Mixcloud, Mashable, LinkedIn, Likee, Kwai, Izlesene, Instagram, Imgur, IMDB, Ifunny, Gaana, Flickr, Febspot, Facebook, ESPN, Douyin, Dailymotion, Buzzfeed, BluTV, Blogger, Bitchute, Bilibili, Bandcamp, Akıllı, 9GAG