Ledger, a provider of hardware wallets for digital assets, has issued an urgent warning to users. The company’s ‘Ledger dApp Connect Kit’ was compromised in a supply chain attack, leading to theft estimated to be over $484,000, through a wallet drainer embedded in the library.
Immediate Measures and Updates
Ledger revealed on X that a compromised ‘malicious version’ of its Ledger Connect Kit had been distributed. This kit is a key component used by decentralized apps (dApps) from different developers for integrating with the Ledger wallet service.
In response to this breach, Ledger has cautioned its users to stop using dApps temporarily. The malicious code, designed to steal digital assets from connected wallets, raises serious concerns about the security of using these applications.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
— Ledger (@Ledger) December 14, 2023
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
Ledger has acted to address the issue, removing the compromised library and releasing a new, secure version. Ledger’s technology and security personnel acted promptly, deploying a solution within 40 minutes after the issue was identified. Although the malicious file remained active for nearly 5 hours, the period during which funds were compromised is estimated to be less than two hours.
Projects that utilized the affected versions (1.1.5, 1.1.6, and 1.1.7) are advised to update to this latest version (1.1.8) to ensure safety. Users are also recommended to ‘Clear Sign’ all transactions, following Ledger’s instructions, to add an extra layer of security.
🚨Ledger users: @blockaid_ has identified an attack on Ledger Connect Kit. Please stop using dapps.https://t.co/seahVIMji1
— MetaMask 🦊🫰 (@MetaMask) December 14, 2023
Ongoing Investigations
Recognizing the risk, projects such as Kyber and RevokeCash have announced on X that they have deactivated their front ends. Blockaid, a security firm, has identified this as a ‘supply chain attack’ on Ledger’s ConnectKit, where an intruder swapped the library’s software with malicious code designed to siphon off assets.
The company is also warning users about ongoing phishing attacks that are trying to exploit the situation. The exploit has been linked to a phishing attack on a former Ledger employee, and Ledger is working closely with law enforcement to find the perpetrator. This incident highlights the vulnerabilities in the web3 space and the importance of continuous vigilance and prompt action in protecting digital assets.
Author
Immersive tech enthusiast, diving into the NFT currents reshaping the Metaverse.