Update: 12/14/2023 11:01AM EST
Ledger has released a final update via their Twitter account:
“FINAL TIMELINE AND UPDATE TO CUSTOMERS: 4:49pm CET: Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again. The investigation continues, here is the timeline of what we know about the exploit at this moment: – This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. – The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. – Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours. – Ledger coordinated with
@WalletConnect who quickly disabled the the rogue project. – The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use. – For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team on the NPM project are now read-only and can’t directly push the NPM package for safety reasons. – We have internally rotated the secrets to publish on Ledger’s GitHub. – Developers, please check again that you’re using the latest version, 1.1.8. – Ledger, along with
@Walletconnect and our partners, have reported the bad actor’s wallet address. The address is now visible on
@Tether_to has frozen the bad actor’s USDT. – We remind you to always Clear Sign with your Ledger. What you see on the Ledger screen is what you actually sign. If you still need to blind sign, use an additional Ledger mint wallet or parse your transaction manually. – We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time. – We are filing a complaint and working with law enforcement on the investigation to find the attacker. – We’re studying the exploit in order to avoid further attacks. We believe the attacker’s address where the funds were drained is here: 0x658729879fca881d9526480b82ae00efc54b5c2d Thank you to
@zachxbt, and the whole community that helped us and continue to help us identify and solve this attack. Security will always prevail with the help of the whole ecosystem.”
Update: 12/14/2023 9:03AM EST
“Update: The malicious version of the file was replaced with the genuine version at around 2:35pm CET. The new genuine version should be propagated soon. We will provide a comprehensive report as soon as it’s ready. In the meantime, we’d like to remind the community to always Clear Sign your transactions – remember that the addresses and the information presented on your Ledger screen is the only genuine information. If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.”
Update: 12/14/2023 8:43AM EST
SushiSwap’s Chief Technology Officer, Matthew Lilley, took to X to caution users, stating, “Do not interact with ANY dApps until further notice.” Lilley revealed that a commonly used web3 connector, associated with Ledger’s Connect Kit, had been compromised, allowing the injection of malicious code that could impact various decentralized applications (dApps).
SushiSwap officially addressed the situation, acknowledging the critical issue tied to Ledger’s connector. The exploit, if triggered, could inject malicious code affecting multiple dApps. SushiSwap specifically warned users about unexpected ‘Connect Wallet’ pop-ups and strongly advised against interacting or connecting their wallets if such prompts appeared.
A front-end exploit, the nature of the attack reported, involves manipulating the user interface (UI) of a website or application. By altering functions through the UI, hackers can redirect funds to their control. Importantly, this type of exploit does not grant access to a protocol’s hot wallets.
Lilley pointed out that the suspicious code originated from Ledger’s GitHub page, indicating a compromise in the hardware wallet provider’s library. Users noted that Ledger’s library had been compromised and replaced with a token drainer, exacerbating the exploit’s impact.
The exploit involves a deceptive pop-up prompting users to connect their wallets, subsequently triggering the token drainer. The consequences of this vulnerability have extended beyond SushiSwap, affecting other DeFi platforms like Zapper and RevokeCash.
As the situation unfolds, the DeFi community is urged to exercise caution and refrain from interacting with any dApps until the security concerns related to Ledger’s Connect Kit are thoroughly addressed. Industry participants are closely monitoring the developments and working towards mitigating the potential risks associated with the exploit.
Original: 12/14/2023 8:31AM EST
In a significant development in the cryptocurrency space, reports are emerging of an exploitation targeting Ledger HQ Wallet Connect for decentralized applications (DApps). Users are advised to exercise caution and take immediate steps to secure their assets.
The Ledger Wallet Connect, a popular tool for interfacing with decentralized applications in the cryptocurrency ecosystem, is reportedly facing exploitation. The exploit involves a drainer, raising concerns about potential security vulnerabilities and unauthorized access to users’ cryptocurrency holdings.
At this time, specific details regarding the nature and extent of the exploitation are limited. However, it is advised that users who have utilized Ledger Wallet Connect kit for interacting with DApps take immediate action to secure their assets. It has been observed that a nefarious popup window is opening over the legitimate Wallet Connect Web3 function. This sophisticated tactic not only compromises user security but also raises questions about the level of intricacy involved in the ongoing exploitation.
The exploitation of Ledger HQ Wallet Connect highlights the persistent challenges faced by users and developers in maintaining the security of cryptocurrency-related tools. Security breaches can lead to unauthorized access, financial losses, and compromise sensitive user information.
Immediate Action for Users:
- Cease Transactions: Users are strongly advised to temporarily cease any transactions or interactions using Ledger HQ Wallet Connect until further clarity on the situation is provided.
- Secure Assets: Consider transferring assets to secure wallets that are not currently associated with Ledger HQ Wallet Connect. Hardware wallets and other trusted solutions may be viable alternatives.
- Monitor Accounts: Regularly monitor cryptocurrency accounts for any unusual or unauthorized activity. If any suspicious transactions are detected, users should report them immediately.
- Update Security Measures: Review and update security measures, including passwords, PINs, and other authentication methods associated with Ledger and connected accounts.
- Stay Informed: Keep an eye on official announcements and updates from Ledger and other relevant authorities. Following credible sources will provide timely information on the status of the exploitation and any remedial measures.
Official Responses
As of now, there is no official statement from Ledger regarding the reported exploitation. Users are encouraged to monitor Ledger’s official channels for updates and guidance on addressing the situation.
The exploitation of Ledger HQ Wallet Connect underscores the critical importance of robust security practices in the cryptocurrency space. Users must remain vigilant, stay informed about potential threats, and take proactive steps to safeguard their digital assets.
This is a developing story, and further updates will be provided as more information becomes available. Users are urged to exercise caution and prioritize the security of their cryptocurrency holdings during this time of uncertainty.
Disclaimer: Information in this article is based on early reports, and users should verify details through official sources for the latest and most accurate information.
