Subscribe to our Telegram channel
Details of massive cryptocurrency theft from Ledger devices published
Ledger, a popular manufacturer of hardware crypto wallets, has warned customers about the dangers of using dApps (decentralized applications). The reason is a cyberattack on the supply chain.
The attackers injected malicious javascript code into the Ledger dApp Connect Kit library, which allows web3 applications to interact with Ledger wallets. This code automatically stole cryptocurrency and NFTs from accounts connected to the service.
According to the company, the problem was discovered on the morning of December 14, after the Ledger account on the NPMJS resource was subjected to a phishing attack. Unknown attackers have published a malicious analog of the Connect Kit, affecting versions 1.1.5, 1.1.6 and
The malicious javascript exploited a vulnerability in the third-party Wallet Connect library to redirect users' funds to hackers' accounts. The developers have removed the compromised versions of the Connect Kit and urgently released a new one —
However, the danger remains for third-party dApps that still run on older versions. Users are advised to refrain from using these applications until the problem is resolved.
As Ledger assured, the underlying software and hardware are not affected. The performance of the company’s most popular products, Ledger Live, and the hardware crypto wallets themselves was not affected.
However, the company has warned of increased phishing attacks. Users are advised to be vigilant and under no circumstances should they disclose a 24-word passphrase to attackers.
According to the blockchain company SlowMist, the Ledger library has been compromised since version
The investigation into the incident is still ongoing. The extent of the damage has not yet been established, although there have been reports of about $ 680,000 in theft. Ledger has already identified the addresses of the attackers' wallets, and the Tether team has frozen some of the stolen funds in USDT.