Ledger Discloses Update and Timeline of the Recent Wallet Security Breach

Ledger, the crypto hardware wallet manufacturer, has disclosed an update and timeline for the recent security breach affecting its Connect Kit tool.

The security breach, which occurred yesterday, has raised questions about Ledger’s security practice. To allay these concerns and keep the community updated, the company shared a recap and an update on X, explaining the cause and the impact of the breach and the actions they took to fix it.

Timeline of the Ledger Breach

Ledger said that the breach started when a hacker got access to the NPMJS account of a former employee through a phishing attack. NPMJS is a platform that hosts code packages for developers. The crypto community has questioned why a former employee still has access to the company’s code.

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about…

— Ledger (@Ledger) December 14, 2023

After gaining access to the NPMJS, the hacker then uploaded a malicious version of the Ledger Connect Kit library. The Connect Kit is a tool that allows users to connect their hardware wallets to web browsers and other platforms. 

As a result, the exploit affected DeFi protocols that use this tool, including MetaMask, Lido, and Sushi. The malicious code used a fake WalletConnect to send funds to the hacker’s wallet. 

Any user who tried to connect to these DeFi protocols fell victim to the exploit. On-chain surveillance system Lookonchain revealed that, as of 14:44 (UTC) yesterday, the hacker had stolen about $484K worth of cryptocurrencies from several users.

However, it bears mentioning that the exploit did not in any way affect user funds stored on Ledger. Ledger CEO and Chairman Pascal Gauthier confirmed this in a letter yesterday. Users were advised to keep their assets on their Ledger and not interact with any dApp.

According to the Ledger team, theyiscovered and fixed the issue within 40 minutes. They confirmed that the malicious file was up for about 5 hours, but the movement of stolen funds occurred in the space of 2 hours. 

What Next?

The firm revealed that they also worked with WalletConnect to shut down the fake project. The company then released a safe and verified version of the Ledger Connect Kit, 1.1.8, and advised users to wait 24 hours before using it again.

To enhance security against future attacks, Ledger made the connect-kit development team for the NPM project read-only and updated the secrets for publication on Ledger’s GitHub repository.

The company also reminded users to always clear sign with their Ledger devices. Clear signing involves checking all the transaction details on the screen before approving. For blind signing, Ledger suggests using an additional Ledger mint wallet or manually parsing the transaction.

Ledger, along with WalletConnect and other partners, reported the hacker’s wallet address to Chainalysis, a blockchain analysis company, and Tether. Tether’s CEO Paolo Ardoino disclosed that Tether had frozen the hacker’s USDT.

According to Ledger, they are also talking to the customers who might have lost funds to help them. The company revealed that they are filing a complaint and working with law enforcement to find the hacker. Ledger is also studying the breach to avoid future exploits.