{"id":88502,"date":"2023-12-20T18:08:38","date_gmt":"2023-12-20T16:08:38","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=88502"},"modified":"2025-09-13T18:29:52","modified_gmt":"2025-09-13T15:29:52","slug":"ledger-puts-estimated-user-losses-from-recent-breach-at-about-600000","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/ledger-puts-estimated-user-losses-from-recent-breach-at-about-600000\/","title":{"rendered":"Ledger puts estimated user losses from recent breach at about $600,000"},"content":{"rendered":"<p>As a result <a href=\"https:\/\/forklog.com\/en\/news\/ledger-users-affected-by-hack-of-the-wallet-connector-used-with-dapps\">the compromise<\/a> of the Ledger Connect Kit library on December 14, wallet users suffered losses of about $600,000.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">We are 100% focused on following up to last week\u2019s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe. <\/p>\n<p>We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.<\/p>\n<p>Ledger\u2026<\/p>\n<p>\u2014 Ledger (@Ledger) <a href=\"https:\/\/twitter.com\/Ledger\/status\/1737457365526470665?ref_src=twsrc%5Etfw\">December 20, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the statement, the company will fully compensate the injured victims. Ledger\u2019s CEO Pascal Gauthier will oversee the reimbursement.<\/p>\n<p>The firm also published an incident report detailing some preliminary findings.<\/p>\n<p>In the morning of December 14, the attacker, through a phishing attack on a former Ledger employee, gained access to his account on the service <span data-descr=\"JavaScript package manager\" class=\"old_tooltip\">NPMJS<\/span>.<\/p>\n<p>From 12:49 to 14:37 MSK, the hacker published a malicious version of the Ledger Connect Kit library. This open-source solution, through which developers <span data-descr=\"decentralized applications\" class=\"old_tooltip\">dapps<\/span> connect applications to Ledger hardware. DeFi platforms automatically adopted the updated software.<\/p>\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/forklog.com\/wp-content\/uploads\/image-3.webp\" alt=\"Attack diagram. Data: Ledger.\" class=\"wp-image-222567\"\/><figcaption class=\"wp-element-caption\">Attack diagram. Data: Ledger.<\/figcaption><\/figure>\n<p>To redirect assets to his wallets, the hacker used a fake WalletConnect project.<\/p>\n<p>At 16:45 MSK, Ledger learned of the ongoing attack thanks to community response and a direct message via X from the Blockaid team. About half an hour later, security specialists received the information and, within 40 minutes, replaced the fraudulent software with legitimate software. But due to the nature of content delivery networks and caching mechanisms on the internet, the malicious file remained accessible for about 5 hours.<\/p>\n<p>However, Ledger estimates that the window during which the attacker emptied victims\u2019 wallets lasted less than two hours. Thanks to rapid coordination, the WalletConnect team disabled the fraudulent counterpart, and <a href=\"https:\/\/forklog.com\/en\/news\/what-is-tether-usdt\">Tether<\/a> froze the hacker\u2019s USDT.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Tether just froze the Ledger exploiter address<\/p>\n<p>\u2014 Paolo Ardoino ? (@paoloardoino) <a href=\"https:\/\/twitter.com\/paoloardoino\/status\/1735315976827101274?ref_src=twsrc%5Etfw\">December 14, 2023<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>Ledger emphasised that during the exploit the attacker did not gain access to any infrastructure such as a code repository or even to the dapps themselves. The malware was injected into application interfaces, prompting users to sign various kinds of transactions.<\/p>\n<p>According to the company, affected customers resorted to the \u201cblind signing\u201d method, not verifying on which device they were actually doing so. To prevent such incidents, the hardware-wallet maker plans to close this option in 2024. Ledger urged users and dapp teams to use the Clear Sign solution.<\/p>\n<p>Regarding the concerns raised in the community about access to the ex-employee\u2019s NPMJS account, the firm acknowledged this was a lapse. The team is working on implementing additional controls at the software publication stage.<\/p>\n<p>As a reminder, in November, users who downloaded the counterfeit Ledger Live app from the Microsoft Store lost $768,000 in digital assets.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As a result of the December 14 compromise of the Ledger Connect Kit library, wallet users suffered about $600,000 in losses.<\/p>\n","protected":false},"author":1,"featured_media":88503,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"1","news_style_id":"1","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1154,44,961,1640],"class_list":["post-88502","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-crimes","tag-cybercrime","tag-hardware-wallets","tag-ledger"],"aioseo_notices":[],"amp_enabled":true,"views":"35","promo_type":"1","layout_type":"1","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88502","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=88502"}],"version-history":[{"count":1,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88502\/revisions"}],"predecessor-version":[{"id":88504,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/88502\/revisions\/88504"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/88503"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=88502"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=88502"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=88502"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}