Ledger, a provider of hardware wallets for digital assets, has issued an urgent warning to users. The company’s ‘Ledger dApp Connect Kit’ was compromised in a supply chain attack, leading to theft estimated to be over $484,000, through a wallet drainer embedded in the library.
Immediate Measures and Updates
Ledger revealed on X that a compromised ‘malicious version’ of its Ledger Connect Kit had been distributed. This kit is a key component used by decentralized apps (dApps) from different developers for integrating with the Ledger wallet service.
In response to this breach, Ledger has cautioned its users to stop using dApps temporarily. The malicious code, designed to steal digital assets from connected wallets, raises serious concerns about the security of using these applications.
Ledger has acted to address the issue, removing the compromised library and releasing a new, secure version. Ledger’s technology and security personnel acted promptly, deploying a solution within 40 minutes after the issue was identified. Although the malicious file remained active for nearly 5 hours, the period during which funds were compromised is estimated to be less than two hours.
Projects that utilized the affected versions (1.1.5, 1.1.6, and 1.1.7) are advised to update to this latest version (1.1.8) to ensure safety. Users are also recommended to ‘Clear Sign’ all transactions, following Ledger’s instructions, to add an extra layer of security.
Ongoing Investigations
Recognizing the risk, projects such as Kyber and RevokeCash have announced on X that they have deactivated their front ends. Blockaid, a security firm, has identified this as a ‘supply chain attack’ on Ledger’s ConnectKit, where an intruder swapped the library’s software with malicious code designed to siphon off assets.
The company is also warning users about ongoing phishing attacks that are trying to exploit the situation. The exploit has been linked to a phishing attack on a former Ledger employee, and Ledger is working closely with law enforcement to find the perpetrator. This incident highlights the vulnerabilities in the web3 space and the importance of continuous vigilance and prompt action in protecting digital assets.