Users’ wallets have been emptied because of an attack on Ledger’s Connect Kit, a software tool that makes it easier for wallets to connect to decentralized apps (dApps).
A former Ledger employee’s hacked account uploaded a new version of the Connect Kit software to the NPM software source. This put at risk any service that relies on the software, even those that don’t use Ledger hardware wallets.
Users on X (formerly Twitter) said that the malicious version showed an extra pop-up that led users to the software that stole their money. This software was built on modified WalletConnect software. Ledger HQ’s default use of “connect-kit-loader” was especially weak because it always downloaded the most current version from a content delivery network (CDN) instead of locking to a certain version.
Ledger quickly responded to the situation.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
— Ledger (@Ledger) December 14, 2023
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and…
The attack on Ledger’s connector library seems to have wider effects on the Ethereum Virtual Machine (EVM) environment, affecting protocols like Phantom, Balancer, Revoke, MetaMask, and SushiSwap.Cash, according to the Linea team, a Consensys rollup with no information.
In response to the attack, Tether CEO Paolo Ardoino said on X that the company had blocked an address that was linked to the hack.
Tether just froze the Ledger exploiter address
— Paolo Ardoino 🍐 (@paoloardoino) December 14, 2023
The hacker went after the Ledger connector code, which makes it easier for Ledger hardware wallets and different dApps to talk to each other. CertiK, a blockchain security company, said that any dApp that imported the Ledger CDN would run the drainer code automatically, asking victims to connect with any wallet they accept.
A blockchain researcher named ZachXBT found that the exploiter’s address was 0x658729879fca881d9526480b82ae00efc54b5c2d. This address was first sent to 0x412f10AAd96fD78da6736387e2C84931Ac20313f, which is known as “Angel Drainer” and is linked to phishing scams. The address got different kinds of assets, and DeBank said they were worth about $480,000 before they were moved out of the wallet.
ALSO READ
- Is Ledger Live spying on you? Data collection raises concerns
- MetaMask and Avalanche extensions caught spying
- Microsoft app store security flaw allows fake Ledger live app to steal $588K