Get the scoop on finance - sign up for mobile alerts
Scams, Hacks & Breaches
| On
December 14, 2023

Ledger Hardware Wallet Announces Critical Security Vulnerability, Urges Users To Pause Interacting With DApps

By Mehron Rokhy

Crypto firm Ledger is warning users about a crucial exploit, urging them to pause their hardware wallet interactions with decentralized applications (DApps).

In a new thread on the social media platform X, Ledger says that it has found, identified, and replaced a malicious version of its connect kit, a piece of code used to connect hardware wallets to DApps.

ADVERTISEMENT

“We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any DApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.”

According to Ledger, the exploit was discovered when a former employee fell victim to a phishing scam and lost access to his NPMJS account, a website used by developers to create code and applications.

The bad actor then uploaded a malicious version of Ledger’s connect kit that would reroute funds from users to the hacker’s wallet. However, Ledger was able to fix this issue about five hours after it went live.

Ledger then reported the exploiter’s address, prompting stablecoin issuer Tether (USDT) to freeze the bad actor’s stash of USDT.

ADVERTISEMENT

“This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. The attacker published a malicious version of the Ledger Connect Kit. The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet.

Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around five hours, however, we believe the window where funds were drained was limited to a period of less than two hours…

The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use. Ledger, along with Walletconnect and our partners, have reported the bad actor’s wallet address. The address is now visible on Chainalysis. Tether has frozen the bad actor’s USDT.”

According to blockchain tracking platform Lookonchain, the hacker managed to steal about $484,000 worth of digital assets from Ledger.

Don't Miss a Beat – Subscribe to get email alerts delivered directly to your inbox
Check Price Action
Follow us on X, Facebook and Telegram
Surf The Daily Hodl Mix
&nbsp
Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.

Featured Image: Shutterstock/lycreative.id

ADVERTISEMENT