Ledger attack details and new findings

Ledger has confirmed that multiple dApps on its connector library have been hacked and replaced with a drainer.
Among the victims, SushiSwap, whose CTO placed blame on Ledger’s content delivery system.
Users have been asked to wait out interacting with any dApps until things become clearer.

New findings from the Ledger dApps attack show that the exploiter may have left their email address behind.

Seems the hacker behind @Ledger left behind a Gmail account @bantg @JunichiSugiura did you just leave behind your personal account? You're caught in 4k pic.twitter.com/KeUWVQ4s1L
— 0xSentry (@0xSentry) December 14, 2023

Also, blockchain detective Lookonchain reports that the attacker made away with just about $484,000 worth of assets, and that they moved 4.334 ETH to the drainer address.

A hacker attacked #Ledger and has stolen ~$484K assets.#LedgerExploiter transferred 4.334 $ETH to #AngelDrainer.

And the #AngelDrainer is also receiving assets currently and holds $363K assets.https://t.co/ZG5SRlKBjW pic.twitter.com/RK9aPyAjEE
— Lookonchain (@lookonchain) December 14, 2023

Tether CTO Paolo Ardoino says "Tether just froze the Ledger exploiter address," while Crypto Banter's Ran Neuner urges users to shun interacting "with DeFi at all today! [as] No app is safe regardless of whether you use a Ledger."

The following section was published shortly after the attack

Ledger is the latest victim of a hacking incident after multiple decentralized applications (dApps) on its connector library were hacked. The exploiter inserted a wallet drainer account address through the vulnerable code. Among the affected dApps were SushiSwap, Revoke.cash, Zapper and Balancer.

seems like the Ledger's @ledgerhq/connect-kit npm package was hacked, the latest publish was 2 hours ago. https://t.co/jFb6CThljS pic.twitter.com/AsbA675D9Q
— Scam Sniffer | Web3 Anti-Scam (@realScamSniffer) December 14, 2023

Ledger has confirmed the vulnerability in its code, confirming having truncated a malicious version of the Ledger Connect Kit, with efforts to put a genuine version already underway.

We have identified and removed a malicious version of the Ledger Connect Kit.

A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.

Your Ledger device and…
— Ledger (@Ledger) December 14, 2023

According to DAppsOn-chain analysts, the connect-kit-loader as well as every other dApp that uses LedgerHQ/connect-kit, is vulnerable and should not be used, acknowledging that this is a large-scale attack on multiple dApps.

ANY dApp which makes use of LedgerHQ/connect-kit is vulnerable. Don't use ANY dApps until further notice. This isn't a single isolated attack, it's a large-scale attack on multiple dApps. https://t.co/a3brXNQSx9
— I'm Software (@MatthewLilley) December 14, 2023

SushiSwap’s Chief Technical Officer, Mathew Lilley, explained that the attack allowed the injection of malicious code. Nevertheless, Sushi has confirmed working to remove the ledger wallet connector but asks users to “refrain from engaging with any dApps until further notice.”

Urgent Security Alert

We've identified a critical issue the ledger connector has been compromised, potentially allowing the injection of malicious code affecting various dApps.

If you have the Sushi page open and see an unexpected 'Connect Wallet' pop-up, DO NOT… https://t.co/alGVbnPfHW
— Sushi.com (@SushiSwap) December 14, 2023

Besides the bold assertion, Lilley blames Ledger for the attack, citing multiple blunders after Ledger’s content delivery system (CDN) was compromised. According to the CTO, Ledger first loaded java script from a compromised CDN before version-locking loaded java script.

With the addition of a drainer address, funds may not leave the user's account unless they react to prompts from a browser wallet. This could give the exploiter access to the user’s account. Users are therefore urged not to interact with untrusted prompts until the situation is resolved.

According to Polygon Labs Vice President, Hudson Jameson, the intervention by Ledger to remove the malicious version of the Ledger Connect Kit is not enough, adding that projects that use that library should update things on their own end prior to using dApps that leverage Ledger’s Web3 libraries.

Ledger Library Exploit Explainer for Average Folks

What is going on with the recent alerts not to use dapps?

A library that is used by many dapps that is maintained by Ledger was compromised and a wallet drainer was added.

What do I do as a normal user?

Do not interact with… https://t.co/exre0QfykD
— Hudson Jameson (@hudsonjameson) December 14, 2023

Ledger did not immediately respond to FXStreet team's request for comment.

Share: Cryptos feed

Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. FXStreet does not in any way guarantee that this information is free from mistakes, errors, or material misstatements. It also does not guarantee that this information is of a timely nature. Investing in Open Markets involves a great deal of risk, including the loss of all or a portion of your investment, as well as emotional distress. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of FXStreet nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.

If not otherwise explicitly mentioned in the body of the article, at the time of writing, the author has no position in any stock mentioned in this article and no business relationship with any company mentioned. The author has not received compensation for writing this article, other than from FXStreet.

FXStreet and the author do not provide personalized recommendations. The author makes no representations as to the accuracy, completeness, or suitability of this information. FXStreet and the author will not be liable for any errors, omissions or any losses, injuries or damages arising from this information and its display or use. Errors and omissions excepted.

The author and FXStreet are not registered investment advisors and nothing in this article is intended to be investment advice.