Hackers have compromised the code behind an encryption protocol used by many web3 applications and services, software maker Ledger said Thursday.
Ledger, a company that makes a widely used and popular cryptographic hardware and software wallet, among other products, announced on X (formerly Twitter) that someone had pushed a “malicious version” of the Ledger Connect Kita library that uses decentralized applications (dApps) built by other companies and projects to connect to the Ledger wallet service.
“A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps at this time. We will keep you updated as the situation develops,” Ledger wrote.
Right after, Ledger posted an update saying that hackers had replaced the original version of its software about six hours earlier, and that the company was investigating the incident and would “provide a full report once it’s ready.”
After this story was published, Ledger spokesman Phillip Costigan shared more details about the hack with TechCrunch and X. Costigan said a former Ledger employee was the victim of a phishing attack on Thursday that gave hackers access to the account NPMJS of their former employee. which is a software registry obtained from GitHub. From there, the hackers released a malicious version of the Ledger Connect Kit.
“The malicious code used a rogue WalletConnect project to reroute funds to a hacked wallet,” Costigan said.
Ledger then deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for about 5 hours, but “the window where funds were drained was limited to a period of less than two hours,” according to Costigan.
Ledger also “coordinated” with WalletConnect which “quickly disabled the rogue’s work,” effectively stopping the attack, according to Costigan.
Costigan also said that Ledger has released a genuine software update that is “safe to use”.
“We are actively talking to customers whose funds may have been affected and are proactively working to assist those individuals at this time,” the spokesperson said, adding that the company believes it has located the hacked wallet.
says the company has sold six million units of its hardware wallet and Ledger Live, its software equivalent, is used by 1.5 million users. The Ledger hardware wallet is not believed to be affected by the hack.
Tal Be’ery, the co-founder of crypto wallet ZenGo, told TechCrunch that the hackers essentially pushed a malicious version of the software designed to trick users into linking their wallets and assets to the malicious version of the software.
Contact us
Do you have more information about this hack? We would love to hear from you. Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram, Keybase and Wire @lorenzofb or email at lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
This would allow hackers to drain the crypto inside users’ wallets — as long as users accepted the push to link their wallets to the malicious version of Ledger.
It was not immediately clear how many people were victims of the hack. ZachXBT, a well-known independent crypto researcher, wrote to X that one victim they had drained more than $600,000 in crypto from their account.
Several blockchain security researchers, as well as people working in the web3 industry, have warned users on social media about the supply chain hack against Ledger.
Matthew Lilley, the CTO of cryptocurrency trading platform Sushi, was one of the first to spot the attack and share the news.
“I would recommend never interacting with a [decentralized app] forever and honestly just get on with your life,” said Joseph Delong, CTO of NFT lending platform AstariaXYZ, joked to Xreferring to the fact that Ledger uses the notoriously insecure Java programming language.
UPDATE, Dec. 14, 11:28 a.m. ET: This story has been updated to include more details about the attack, provided by the company’s spokesperson.
