On Thursday, Ledger, a prominent maker of crypto hardware and software wallets, revealed that its Ledger Connect Kit, a library utilized by decentralized apps (dApps) to link to the Ledger wallet service, had been compromised by hackers. This breach has raised concerns about the security of users’ crypto assets and has prompted widespread caution within the crypto community.
Key Takeaway
The supply chain attack on Ledger’s crypto wallet has raised concerns about the security of users’ assets and prompted widespread caution within the crypto community. Ledger has taken steps to address the breach and is actively assisting affected customers.
Details of the Attack
According to Ledger, the hackers replaced the genuine version of the Ledger Connect Kit with a malicious file after gaining access to a former employee’s NPMJS account through a phishing attack. This unauthorized code was designed to deceive users into connecting their wallets to the malicious Ledger version, allowing the hackers to siphon off funds from the users’ wallets. Although Ledger swiftly deployed a fix, the malicious file was live for approximately five hours, with the window for fund drainage limited to less than two hours.
Response and Impact
Following the incident, Ledger collaborated with WalletConnect to disable the rogue project, effectively halting the attack. The company also issued a genuine software update deemed safe for use and is actively assisting customers whose funds may have been affected. It has been reported that the Ledger hardware wallet, used by millions of individuals, remains unaffected by the breach.
Community Warnings and Reactions
As news of the supply chain attack spread, blockchain security researchers and industry professionals cautioned users about the potential risks associated with the compromised Ledger Connect Kit. Additionally, individuals within the web3 industry have advised refraining from interacting with decentralized apps for the time being.