Hardware wallet provider Ledger was the target of a sophisticated hack incident, which led to the theft of about $484,000 in assets.
The hack was linked to a former Ledger employee who fell victim to a phishing attack. The hack happened when a former employee was tricked into giving access to their account, allowing the attacker to publish malicious versions of the Ledger Connect Kit.
About $150,000 was stolen initially, although it was later reported that the money lost had reached about $484,000.
The malicious code was active for around five hours, but Ledger’s technology and security teams quickly responded and fixed the problem within 40 minutes with the help of WalletConnect and Tether, who also froze the hacker’s wallet.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
Despite the rapid response, it was believed the window for fund drainage was less than two hours.
Ledger since coordinated with WalletConnect to disable the rogue project and propagated the genuine and verified Ledger Connect Kit version 1.1.8, which was now considered safe for use.
See Also: Fake Ledger Live Application Steals $588K From Microsoft Store
To bolster security, the connect-kit development team on the NPM project was set to read-only mode, preventing direct pushes of the NPM package.
Ledger also internally rotated the secrets to publish on its GitHub and developers were urged to ensure they were using the latest version, 1.1.8.
The severity of the attack was highlighted by the substantial amount stolen, with the hacker transferring approximately 4.334 ETH to an address known as “AngelDrainer,” which currently holds assets worth around $363,000.
A hacker attacked #Ledger and has stolen ~$484K assets.#LedgerExploiter transferred 4.334 $ETH to #AngelDrainer.
And the #AngelDrainer is also receiving assets currently and holds $363K assets.https://t.co/ZG5SRlKBjW pic.twitter.com/RK9aPyAjEE
— Lookonchain (@lookonchain) December 14, 2023
In response to this, Ledger, along with partners such as WalletConnect, reported the bad actor’s wallet address, now visible on Chainalysis.
Tether took action by freezing the bad actor’s assets, showcasing the collaborative efforts within the cryptocurrency community to address such security breaches.
Tether just froze the Ledger exploiter address
— Paolo Ardoino 🍐 (@paoloardoino) December 14, 2023
The company reiterated the importance of using the Clear Sign feature on Ledger devices to ensure transaction authenticity and advised customers to wait 24 hours before using the Ledger Connect Kit again, as a precautionary measure.
Ledger also urged them to pause their hardware wallet interactions with decentralized applications (DApps).
See Also: Rainbow Wallet Token Aims At Taking Advantage Of MetaMask
In a new thread on the social media platform X, Ledger says that it has found, identified, and replaced a malicious version of its connect kit, a piece of code used to connect hardware wallets to DApps.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
— Ledger (@Ledger) December 14, 2023
“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any DApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.”
