Hardware wallet developer Ledger has reported that a software library used by decentralized applications has been compromised. The hacker was able to inject malicious code into their interfaces.
See more
FINAL TIMELINE AND UPDATE TO CUSTOMERS:
4:49pm CET:
Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.
The investigation continues, here is the timeline of what we know about…
— Ledger (@Ledger) December 14, 2023
According to the statement, on December 14 at approximately 4:35 (Moscow time, 3:35 Kyiv), the attacker replaced the genuine version of the Ledger Connect Kit with a fake one. Users’ physical devices and the Ledger Live application were not affected by the attack.
The team removed the malicious file, the new original version 1.1.8 is “automatically distributed.” However, the developers did not recommend using the software for 24 hours.
A preliminary investigation showed that the hacker gained access to the account in the NPMJS service through a phishing attack on a former Ledger employee.
The posted malicious file lasted for about 5 hours, but the team estimated the period during which the funds were stolen to be 2 hours. To withdraw assets, the attacker used WalletConnect, which disabled the scammer’s wallet.
Ledger did not disclose the amount of damage, but said it had contacted affected customers to discuss compensation.
The company intends to contact law enforcement agencies to find the attacker.
Ledger reminded users to sign with Clear Sign when making a transaction. If there is a discrepancy between the information on the wallet display and the computer or smartphone screen, you should immediately stop the operation, the developers emphasized.
See more
#PeckShieldAlert Our community contributor has reported that the front ends of #Zap, #Sushi have been compromised.https://t.co/WPkLZfNKpO
— PeckShieldAlert (@PeckShieldAlert) December 14, 2023
According to PeckShield, the incident led to the compromise of the Zapper and SushiSwap frontends.
See more
🚨🚨🚨 RED ALERT 🚨🚨🚨:
Do not interact with ANY dApps until further notice. It appears that a commonly used web3 connector has been compromised which allows for injection of malicious code affecting numerous dApps.
— I’m Software 🦇🔊 (@MatthewLilley) December 14, 2023
“Do not interact with any dapps until further notice. It appears that a widely used Web3 connector has been compromised, allowing the injection of malicious code affecting multiple applications,” warned Sushi CTO Matthew Lilly after the attack was discovered.
Balancer Platform Team suggested users should temporarily not use its interface, protocol for managing crypto assets Revoke.cash disabled your website.
BlockAid, a company specializing in cybersecurity in the Web3 industry, reported Blockworks, which found projects lost at least $150,000 due to the introduction of malicious code. The company’s specialists mentioned Sushi, Zapper, MetalSwap and EchoDEX on the list of sites potentially affected by the attack.
Many commenters on Ledger’s post with the preliminary findings of the investigation questioned how the former employee retained access to the security-critical account.
See more
Company that secures billions of dollars yet doesn’t stop former employees from having access, which is one of the most basic security procedures… LMAO
— CryptoLonghorn 🔥💃 (@CryptoLonghorn) December 14, 2023
The community recalled previous incidents such as the data leak of a million wallet users in 2020, which led to massive phishing attacks, or the discovery of critical vulnerabilities.
In May, the Ledger team introduced a controversial tool that allows you to back up your seed to restore access to your Nano X device. The decision drew criticism from many in the industry, and sales of its main competitor, Trezor, jumped by 900%.
Recall that in November, users who downloaded a fake Ledger Live application hosted in the Microsoft Store lost $768,000 in digital assets.
Subscribe to ForkLog on social networks
Found an error in the text? Select it and press CTRL+ENTER
ForkLog newsletters: keep your finger on the pulse of the Bitcoin industry!
2023-12-14 17:12:05
#Ledger #users #suffered #hacking #wallet #connector #dapps #ForkLog
