loader image
    Crypto

    Ledger Connect Kit Exploit Explained, An In-Depth Report

    By Updated:No Comments5 Mins Read

    Ledger Connect Kit Exploit Explained, An In-Depth Report

    TLDR:

    • Malicious version of Ledger Connect Kit identified, prompting swift action from Ledger to protect users.
    • Ledger collaborates with WalletConnect to replace the malicious version with genuine Ledger Connect Kit 1.1.8, ensuring device and account security.
    • Pascal Gauthier shares a letter, revealing a phishing attack on a former employee as the root cause, emphasizing continuous security improvement.
    • Ledger pledges to implement stronger security controls and encourages collective efforts to enhance DApp security.
    • Ledger engages with authorities, supports affected users, and identifies the bad actor’s wallet address, visible on Chainalysis with frozen USDT by Tether.

    The recent security incident involving Ledger’s Connect Kit has sent shockwaves through the cryptocurrency community, underscoring the ongoing battle against vulnerabilities.

    Let’s delve into the timeline of events.

    The Unveiling of the Exploit

    In a series of tweets, Ledger announced the identification and removal of a malicious version of the Ledger Connect Kit.

    The nefarious file prompted a swift response, with Ledger advising users not to interact with any dApps temporarily.

    Fortunately, neither Ledger devices nor Ledger Live were compromised during this incident.

    “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now.

    “Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,” wrote Ledger on X.

    The Resolution Process

    The security teams at Ledger and WalletConnect collaborated to replace the malicious version with the genuine one, assuring users that their Ledger devices and Ledger Live remained secure.

    The genuine Ledger Connect Kit 1.1.8 was fully propagated, and a comprehensive report was promised shortly.

    “Update: The malicious version of the file was replaced with the genuine version at around 2:35 pm CET.

    “The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready.”

    Insights from Ledger’s CEO Pascal Gauthier

    To shed light on the incident, Ledger’s Chairman & CEO, Pascal Gauthier, shared a letter addressing the exploit.

    He disclosed that a phishing attack on a former employee enabled a bad actor to upload a malicious file to Ledger’s NPMJS, emphasizing the importance of continuous security improvement.

    “Today we experienced an exploit on the Ledger Connect Kit, a Javascript library that implements a button allowing users to connect their Ledger device to third party DApps (wallet-connected Web sites).

    “This exploit was the result of a former employee falling victim to a phishing attack, which allowed a bad actor to upload a malicious file to Ledger’s NPMJS (a package manager for Javascript code shared between apps),” he said in an official statement.

    Strengthening Security Measures

    In response to the incident, Ledger pledged to implement stronger security controls, connecting their build pipeline for software supply chain security to the NPM distribution channel.

    Gauthier also highlighted the need for collective efforts to raise the security bar for DApps engaging in browser-based signing.

    “It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes.

    “In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel,” said Gauthier.

    The Timeline of the Exploit

    The exploit originated when a former Ledger employee fell victim to a phishing attack, allowing the attacker to publish a malicious version of the Ledger Connect Kit.

    Despite the swift response from Ledger and WalletConnect, the malicious file was live for approximately five hours.

    “This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account.

    “The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7),” explained Ledger.

    Collaboration with Authorities and Community Support

    Ledger has engaged with authorities and expressed its commitment to supporting affected users in tracking the funds and recovering stolen assets. The bad actor’s wallet address, 0x658729879fca881d9526480b82ae00efc54b5c2d, is now visible on Chainalysis, and Tether has frozen the associated USDT.

    “Ledger, along with WalletConnect and our partners, have reported the bad actor’s wallet address. The address is now visible on Chainalysis. Tether has frozen the bad actor’s USDT.”

    Learning from the Incident

    As the situation comes under control, Ledger’s transparency and proactive measures serve as a valuable lesson for the cryptocurrency community.

    The incident emphasizes the need for continuous vigilance, collaboration, and the implementation of robust security practices to safeguard the crypto ecosystem.

    For more Web3 news, check out the XGA newsfeed.

    Share.

    Related Posts

    Add A Comment

    Leave A Reply