Ledger Connect Kit Exploit Explained, An In-Depth Report
- Malicious version of Ledger Connect Kit identified, prompting swift action from Ledger to protect users.
- Ledger collaborates with WalletConnect to replace the malicious version with genuine Ledger Connect Kit 1.1.8, ensuring device and account security.
- Pascal Gauthier shares a letter, revealing a phishing attack on a former employee as the root cause, emphasizing continuous security improvement.
- Ledger pledges to implement stronger security controls and encourages collective efforts to enhance DApp security.
- Ledger engages with authorities, supports affected users, and identifies the bad actor’s wallet address, visible on Chainalysis with frozen USDT by Tether.
The recent security incident involving Ledger’s Connect Kit has sent shockwaves through the cryptocurrency community, underscoring the ongoing battle against vulnerabilities.
Let’s delve into the timeline of events.
The Unveiling of the Exploit
In a series of tweets, Ledger announced the identification and removal of a malicious version of the Ledger Connect Kit.
The nefarious file prompted a swift response, with Ledger advising users not to interact with any dApps temporarily.
Fortunately, neither Ledger devices nor Ledger Live were compromised during this incident.
“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now.
“Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,” wrote Ledger on X.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨— Ledger (@Ledger) December 14, 2023
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
The Resolution Process
The security teams at Ledger and WalletConnect collaborated to replace the malicious version with the genuine one, assuring users that their Ledger devices and Ledger Live remained secure.
The genuine Ledger Connect Kit 1.1.8 was fully propagated, and a comprehensive report was promised shortly.
“Update: The malicious version of the file was replaced with the genuine version at around 2:35 pm CET.
“The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready.”
Update:— Ledger (@Ledger) December 14, 2023
The malicious version of the file was replaced with the genuine version at around 2:35pm CET.
The new genuine version should be propagated soon.
We will provide a comprehensive report as soon as it’s ready.
In the meantime, we’d like to remind the community to…
Insights from Ledger’s CEO Pascal Gauthier
To shed light on the incident, Ledger’s Chairman & CEO, Pascal Gauthier, shared a letter addressing the exploit.
He disclosed that a phishing attack on a former employee enabled a bad actor to upload a malicious file to Ledger’s NPMJS, emphasizing the importance of continuous security improvement.
Strengthening Security Measures
In response to the incident, Ledger pledged to implement stronger security controls, connecting their build pipeline for software supply chain security to the NPM distribution channel.
Gauthier also highlighted the need for collective efforts to raise the security bar for DApps engaging in browser-based signing.
“It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes.
“In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel,” said Gauthier.
The Timeline of the Exploit
The exploit originated when a former Ledger employee fell victim to a phishing attack, allowing the attacker to publish a malicious version of the Ledger Connect Kit.
Despite the swift response from Ledger and WalletConnect, the malicious file was live for approximately five hours.
“This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account.
“The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7),” explained Ledger.
FINAL TIMELINE AND UPDATE TO CUSTOMERS:— Ledger (@Ledger) December 14, 2023
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
Collaboration with Authorities and Community Support
Ledger has engaged with authorities and expressed its commitment to supporting affected users in tracking the funds and recovering stolen assets. The bad actor’s wallet address, 0x658729879fca881d9526480b82ae00efc54b5c2d, is now visible on Chainalysis, and Tether has frozen the associated USDT.
“Ledger, along with WalletConnect and our partners, have reported the bad actor’s wallet address. The address is now visible on Chainalysis. Tether has frozen the bad actor’s USDT.”
Learning from the Incident
As the situation comes under control, Ledger’s transparency and proactive measures serve as a valuable lesson for the cryptocurrency community.
The incident emphasizes the need for continuous vigilance, collaboration, and the implementation of robust security practices to safeguard the crypto ecosystem.