Ledger puts estimated user losses from recent breach at about $600,000

As a result the compromise of the Ledger Connect Kit library on December 14, wallet users suffered losses of about $600,000.

We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger…

— Ledger (@Ledger) December 20, 2023

According to the statement, the company will fully compensate the injured victims. Ledger’s CEO Pascal Gauthier will oversee the reimbursement.

The firm also published an incident report detailing some preliminary findings.

In the morning of December 14, the attacker, through a phishing attack on a former Ledger employee, gained access to his account on the service NPMJS.

From 12:49 to 14:37 MSK, the hacker published a malicious version of the Ledger Connect Kit library. This open-source solution, through which developers dapps connect applications to Ledger hardware. DeFi platforms automatically adopted the updated software.

To redirect assets to his wallets, the hacker used a fake WalletConnect project.

At 16:45 MSK, Ledger learned of the ongoing attack thanks to community response and a direct message via X from the Blockaid team. About half an hour later, security specialists received the information and, within 40 minutes, replaced the fraudulent software with legitimate software. But due to the nature of content delivery networks and caching mechanisms on the internet, the malicious file remained accessible for about 5 hours.

However, Ledger estimates that the window during which the attacker emptied victims’ wallets lasted less than two hours. Thanks to rapid coordination, the WalletConnect team disabled the fraudulent counterpart, and Tether froze the hacker’s USDT.

Tether just froze the Ledger exploiter address

— Paolo Ardoino ? (@paoloardoino) December 14, 2023

Ledger emphasised that during the exploit the attacker did not gain access to any infrastructure such as a code repository or even to the dapps themselves. The malware was injected into application interfaces, prompting users to sign various kinds of transactions.

According to the company, affected customers resorted to the “blind signing” method, not verifying on which device they were actually doing so. To prevent such incidents, the hardware-wallet maker plans to close this option in 2024. Ledger urged users and dapp teams to use the Clear Sign solution.

Regarding the concerns raised in the community about access to the ex-employee’s NPMJS account, the firm acknowledged this was a lapse. The team is working on implementing additional controls at the software publication stage.

As a reminder, in November, users who downloaded the counterfeit Ledger Live app from the Microsoft Store lost $768,000 in digital assets.