Crypto users saw roughly $500,000 worth of cryptocurrencies drained from their wallets Thursday morning due to a compromise of hardware wallet provider Ledger’s Connector Kit that allowed the front-end of several decentralized applications (dApps) to be exploited.
The vulnerability created widespread pandemonium in the crypto community because of how pervasive the exploit could potentially be since users didn’t need to be using a Ledger wallet to be affected, and the fact that it was affecting dApps on multiple chains.
Ledger has since removed the malicious version of the Ledger Connect Kit and replaced it with “the genuine version” several hours after the vulnerability was discovered, according to the crypto wallet provider’s X thread posted at 8:31 a.m. ET.
According to Ledger’s final timeline and update to customers, the attacker was able to publish a malicious version of the Ledger Connect Kit because “this morning CET, a former employee fell victim to a phishing attack that gained access to their NPMJS account.” NPMJS is a software registry for the JavaScript programming language that simplifies the process for developers to share and reuse code.
The company reminded users to “always Clear Sign your transactions” and that “if there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
Matthew Lilley, the chief technology officer at decentralized exchange SushiSwap, wrote on X on Thursday morning, “Fortunately, the damage seems to be limited across the board thanks to a bit of luck and coincidence in discovering this early.”
Users Warned to Still Be Cautious
Ledger said, “The new genuine version should be propagated soon,” and yet people are still cautioning crypto users not to use dApps and crypto protocols. A Synthetix community admin asked everyone in Discord to refrain from interacting with its staking dApp, while Camelot “strongly” recommended “everyone to not interact with ANY DAPP until the situation is entirely clarified.”
“Even after Ledger corrects the bad code in their library, projects using and deploying that library will need to update things before it is safe to use dapps that use Ledger’s web3 libraries,” wrote Polygon Labs VP Hudson Jameson on X.
The codebase of Ledger’s Connector Kit contained a line that said “minimalDrainValue,” the source of the recent vulnerability. This compromise affected front-end users because if people interacted with the interface of decentralized applications such as SushiSwap, Zapper and RevokeCash, a malicious window would pop up and when users connected their wallets, their funds would be drained.
🚨 ledger library confirmed compromised and replaced with a drainer. wait out interacting with any dapps till things become clearer.https://t.co/xapunW8zC3 pic.twitter.com/NlAc11vhdv
— banteg (@bantg) December 14, 2023
This is not the first time that Ledger has encountered security concerns. For instance, in 2020, Ledger suffered a cyber attack that resulted in 1 million email addresses being leaked on RaidForums, as well as detailed personal information such as postal address, name and phone number. The U.S. Office of Public Affairs called RaidForums “a popular marketplace for cybercriminals to buy and sell hacked data.” Also in 2020, an email impersonating Ledger support used a phishing technique on customers in an attempt to steal their data.
Ledger also faced criticism for its safety policies in May 2023 when it announced its private keys recovery feature, which allowed customers to recover the keys to their Ledger wallet if, for example, they lost them.
In a video interview with Unchained, Ido Ben-Natan and Raz Niz, the founders of crypto security tools provider Blockaid said that wallet-draining attacks remain common in the crypto space.
“The uniqueness of this attack was mainly around how widespread it was because the attacker here was able to cause the supply chain attack that affected so many different sites in the ecosystem to drain their users,” Niz said.
UPDATE (Dec. 14, 2023, 13:50 EST): Adds Blockaid founders’ comments.
UPDATE (Dec. 14, 2023, 12:49 p.m. EST): Adds details of the amount taken from wallets.