{"id":88281,"date":"2023-12-14T20:11:24","date_gmt":"2023-12-14T18:11:24","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=88281"},"modified":"2025-09-13T17:02:53","modified_gmt":"2025-09-13T14:02:53","slug":"ledger-users-affected-by-hack-of-the-wallet-connector-used-with-dapps","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ledger-users-affected-by-hack-of-the-wallet-connector-used-with-dapps\/","title":{"rendered":"Ledger users affected by hack of the wallet connector used with dapps"},"content":{"rendered":"<p>The hardware-wallet maker Ledger disclosed a compromise of the software library used by decentralized applications. A hacker was able to inject malicious code into their interfaces.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">FINAL TIMELINE AND UPDATE TO CUSTOMERS:<\/p>\n<p>4:49pm CET:<\/p>\n<p>Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.<\/p>\n<p>The investigation continues, here is the timeline of what we know about\u2026<\/p>\n<p>\u2014 Ledger (@Ledger) <a href=\"https:\/\/twitter.com\/Ledger\/status\/1735326240658100414?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to Ledger\u2019s statement, on December 14 at about 4:35 MSK (3:35 Kyiv time) the attacker replaced the legitimate Ledger Connect Kit with a counterfeit version. Physical devices and the Ledger Live app were not affected.<\/p>\n<p>The team removed the malicious file, and the new genuine version 1.1.8 \u201cis being distributed automatically\u201d. However, developers advised against using the software for 24 hours.<\/p>\n<p>Preliminary investigations showed the hacker gained access to an account on the NPMJS service through phishing targeting a former Ledger employee.<\/p>\n<p>The malicious file persisted for around five hours, but the window during which funds were stolen was estimated at two hours. To move assets, the attacker used WalletConnect, which severed the wallet\u2019s connection.<\/p>\n<p>Ledger did not disclose the loss amount, but said it had contacted affected clients to discuss compensation.<\/p>\n<p>To pursue the attacker, the company plans to approach law enforcement authorities.<\/p>\n<p>Ledger reminded users that transactions must be signed using Clear Sign. In case of discrepancies between the information on the wallet display and the computer or smartphone screen, users should immediately abort the operation, the developers emphasised.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/PeckShieldAlert?src=hash&#038;ref_src=twsrc%5Etfw\">#PeckShieldAlert<\/a> Our community contributor has reported that the front ends of <a href=\"https:\/\/twitter.com\/hashtag\/Zapper?src=hash&#038;ref_src=twsrc%5Etfw\">#Zapper<\/a>, <a href=\"https:\/\/twitter.com\/hashtag\/Sushi?src=hash&#038;ref_src=twsrc%5Etfw\">#Sushi<\/a> have been compromised.<a href=\"https:\/\/t.co\/WPkLZfNKpO\">https:\/\/t.co\/WPkLZfNKpO<\/a><\/p>\n<p>\u2014 PeckShieldAlert (@PeckShieldAlert) <a href=\"https:\/\/twitter.com\/PeckShieldAlert\/status\/1735279847126208850?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to PeckShield, the incident led to the compromise of the front ends of Zapper and SushiSwap.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">??? RED ALERT ???: <\/p>\n<p>Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.<\/p>\n<p>\u2014 I&#8217;m Software ?? (@MatthewLilley) <a href=\"https:\/\/twitter.com\/MatthewLilley\/status\/1735275960662921638?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u00abDo not interact with any <span data-descr=\"decentralized applications\" class=\"old_tooltip\">dapps<\/span> until further notice. It appears that a widely used Web3 connector has been compromised, enabling the injection of malicious code affecting numerous applications\u00bb, warned Sushi\u2019s CTO Matthew Lilley after the attack.<\/p>\n<\/blockquote>\n<p>The Balancer team suggested that users refrain from using its interface for the time being, while the Revoke.cash protocol shut down its site.<\/p>\n<p>BlockAid, a Web3 cyber-security firm, told Blockworks that it found losses of at least $150 000 across projects due to the injected malicious code. The firm named Sushi, Zapper, MetalSwap and EchoDEX as potentially affected sites.<\/p>\n<p>Many commentators on Ledger\u2019s post with the preliminary findings wondered how a former employee could still have access to a security-critical account.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Company that secures billions of dollars yet doesn\u2019t stop former employees from having access, which is one of the most basic security procedures\u2026 LMAO<\/p>\n<p>\u2014 CryptoLonghorn ?? (@CryptoLonghorn) <a href=\"https:\/\/twitter.com\/CryptoLonghorn\/status\/1735327651135361264?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In the community, people recalled previous incidents such as <a href=\"https:\/\/forklog.com\/en\/news\/ledger-reports-data-breach-affecting-around-one-million-users\">data leaks<\/a> of millions of wallet users in 2020, which led to massive <a href=\"https:\/\/forklog.com\/en\/news\/ledger-users-report-mass-phishing-attack\">phishing attacks<\/a>, or the discovery of critical vulnerabilities.<\/p>\n<div class=\"wp-block-text-wrappers-update-2 article_update\"><time class=\"gtb_text-wrappers_update_time\">15 December 2023 | 11:08<\/time><span class=\"gtb_text-wrappers_update_head\">Update: <\/span><\/p>\n<p>CEO Pascal Gauthier, in an open letter to the community, confirmed that the exploit was the result of a phishing attack on a former employee.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p lang=\"en\" dir=\"ltr\">My message on the Ledger Connect Kit exploit.<a href=\"https:\/\/t.co\/zLMUvfNM7t\">https:\/\/t.co\/zLMUvfNM7t<\/a><\/p>\n<p>\u2014 Pascal Gauthier @Ledger (@_pgauthier) <a href=\"https:\/\/twitter.com\/_pgauthier\/status\/1735377657628405857?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to him, the library update occurred 40 minutes after the attack was detected, and such incidents are a \u201cdisappointing one-off that reminds us of the need to raise the security bar around dapps, despite the safeguards built into firms.\u201d<\/p>\n<\/div>\n<p>In May, the Ledger team <span data-descr=\"introduced\" class=\"old_tooltip\"><a href=\"https:\/\/forklog.com\/en\/news\/ledger-to-add-seed-phrase-recovery-option-to-nano-x\">introduced<\/a><\/span> a controversial tool that allowed creating a backup copy of the seed phrase to restore access to the Nano X. The move drew criticism from many in the industry, and the leading competitor\u2014Trezor\u2014<span data-descr=\"surged by 900%\" class=\"old_tooltip\"><a href=\"https:\/\/forklog.com\/en\/news\/trezor-sales-surge-900-amid-ledger-recover-controversy\">surged by 900%<\/a><\/span>.<\/p>\n<p>In November, users who downloaded the counterfeit Ledger Live app published in the Microsoft Store lost <a href=\"https:\/\/forklog.com\/en\/news\/creators-of-fake-ledger-live-stole-768000-in-cryptocurrency\">$768 000<\/a> in digital assets.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The hardware-wallet maker Ledger disclosed a compromise of the software library used by decentralized applications. A hacker was able to inject malicious code into their interfaces.<\/p>\n","protected":false},"author":1,"featured_media":88282,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[44,961,1640],"class_list":["post-88281","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-cybercrime","tag-hardware-wallets","tag-ledger"],"aioseo_notices":[],"amp_enabled":true,"views":"36","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88281","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=88281"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88281\/revisions"}],"predecessor-version":[{"id":88283,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88281\/revisions\/88283"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/88282"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=88281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=88281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=88281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}