An attacker recently managed to compromise hardware devices for cold storage of cryptocurrencies by spreading a malicious version of the Ledger Connect Kit. As a result, decentralized applications (dApps) started suspending Ledger support, fearing repeated exploits. Experts say the incident may have negative consequences for the entire Ethereum ecosystem.
On December 14, the Lookonchain analytics team discovered that hackers had managed to compromise the Ledger hardware crypto wallets. The developers reported that they had discovered and removed a malicious version of the Ledger Connect Kit, which the hackers had already used to steal $484,000 worth of cryptocurrencies.
According to the Ledger team’s official version, the exploit was due to a mistake made by their former employee. The hackers gained access to their computer and Node Package Manager JavaScript (NPMJS) via a phishing link. This allowed the attackers to upload a malicious update to the Ledger Connect Kit repository on GitHub.
The Ledger Connect Kit is a package for interfacing a cryptocurrency wallet with Web3 apps. Therefore, the hackers were able to redirect all funds sent via dApps by users who downloaded the malicious update. In particular, the Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash interfaces were compromised.
Before the Ledger developers could completely eliminate the malicious files, some decentralized apps started blocking communication with the Ledger Connect Kit on their end. For example, the team of the NFT marketplace OpenSea temporarily disabled support for the connector. The developers of the DeFi protocol Lido Finance also acted along the same lines, shutting down all external interfaces as a precautionary measure.
According to Pascal Gauthier, CEO of Ledger, the team detected the security breach and fixed it within 40 minutes. Overall, the hackers exploited the vulnerability for less than two hours. Gauthier also added that the current exploit was an isolated incident and the company strengthened its internal defenses and checked the computers and accounts of all employees who had access to Ledger’s program code.
However, the crypto community was shocked as the security of funds in hardware wallets was considered unwavering. Some users spoke out in a rather rude manner, accusing Ledger of negligence. And others suggested changing the company’s slogan, hinting that a hardware device can no longer be deemed the safest means of storing cryptocurrencies.
Linea’s development team believes that the current attack could have negative implications for the entire ecosystem powered by the Ethereum Virtual Machine (EVM). The Ledger Connect Kit compromise could give the hackers access to many different dApps, and their security may also be moot. The team of the crypto wallet MetaMask that had to deploy an emergency update to fix the issues in Portfolio that resulted from the Ledger Connect Kit interaction agrees with this opinion.
At this point, the Ledger team filed a complaint with law enforcement, who began investigating the incident. In cooperation with Tether, they were able to identify the exploiter’s address and freeze it. The company is also actively communicating with affected users to find out the details of the incident.
Recently, it was reported about new solutions for cold storage of digital assets from IBM and Block, led by Jack Dorsey.