Ledger users affected by hack of the wallet connector used with dapps

The hardware-wallet maker Ledger disclosed a compromise of the software library used by decentralized applications. A hacker was able to inject malicious code into their interfaces.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

According to Ledger’s statement, on December 14 at about 4:35 MSK (3:35 Kyiv time) the attacker replaced the legitimate Ledger Connect Kit with a counterfeit version. Physical devices and the Ledger Live app were not affected.

The team removed the malicious file, and the new genuine version 1.1.8 “is being distributed automatically”. However, developers advised against using the software for 24 hours.

Preliminary investigations showed the hacker gained access to an account on the NPMJS service through phishing targeting a former Ledger employee.

The malicious file persisted for around five hours, but the window during which funds were stolen was estimated at two hours. To move assets, the attacker used WalletConnect, which severed the wallet’s connection.

Ledger did not disclose the loss amount, but said it had contacted affected clients to discuss compensation.

To pursue the attacker, the company plans to approach law enforcement authorities.

Ledger reminded users that transactions must be signed using Clear Sign. In case of discrepancies between the information on the wallet display and the computer or smartphone screen, users should immediately abort the operation, the developers emphasised.

#PeckShieldAlert Our community contributor has reported that the front ends of #Zapper, #Sushi have been compromised.https://t.co/WPkLZfNKpO

— PeckShieldAlert (@PeckShieldAlert) December 14, 2023

According to PeckShield, the incident led to the compromise of the front ends of Zapper and SushiSwap.

??? RED ALERT ???:

Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.

— I’m Software ?? (@MatthewLilley) December 14, 2023

«Do not interact with any dapps until further notice. It appears that a widely used Web3 connector has been compromised, enabling the injection of malicious code affecting numerous applications», warned Sushi’s CTO Matthew Lilley after the attack.

The Balancer team suggested that users refrain from using its interface for the time being, while the Revoke.cash protocol shut down its site.

BlockAid, a Web3 cyber-security firm, told Blockworks that it found losses of at least $150 000 across projects due to the injected malicious code. The firm named Sushi, Zapper, MetalSwap and EchoDEX as potentially affected sites.

Many commentators on Ledger’s post with the preliminary findings wondered how a former employee could still have access to a security-critical account.

Company that secures billions of dollars yet doesn’t stop former employees from having access, which is one of the most basic security procedures… LMAO

— CryptoLonghorn ?? (@CryptoLonghorn) December 14, 2023

In the community, people recalled previous incidents such as data leaks of millions of wallet users in 2020, which led to massive phishing attacks, or the discovery of critical vulnerabilities.

In May, the Ledger team introduced a controversial tool that allowed creating a backup copy of the seed phrase to restore access to the Nano X. The move drew criticism from many in the industry, and the leading competitor—Trezor—surged by 900%.

In November, users who downloaded the counterfeit Ledger Live app published in the Microsoft Store lost $768 000 in digital assets.