Crypto giant Ledger spent December 14 warning users not to interact with web3 decentralized apps amid concerns over a supply chain attack.
The attack on the ‘Ledger dApp Connect Kit’ library was found to be pushing a JavaScript wallet drainer, the company found.
Ledger has since confirmed that it was the victim of a phishing attack and that the error has been rectified, leaving users free to continue using Ledger Connect Kit
Crypto attack could have been avoided
Ledger confirmed at 4:49pm CET via a post on X that a former employee had fallen victim to a phishing attack which compromised their NPMJS account. The attacker used the compromised account to publish a malicious version of the Ledger Connect Kit, which used a rogue WalletConnect project to reroute funds to the hacker’s wallet.
Crypto researcher ZachXBT posted to X that over $610,000 had been stolen during the attack.
Ledger said that the malicious file, which affected versions 1.1.5, 1.1.6, and 1.1.7, was live for around five hours, but that the fund draining took place in a shorter period of around two hours. A fix was issued within 40 minutes of Ledger becoming aware, and the company has since confirmed that Ledger Connect Kit 1.1.8 is now fully propagated, and that users can continue as normal.
Ledger has also reported the attacker’s wallet address and frozen their USDT together with Tether.
Ledger CEO Pascal Gauthier has also responded to the incident, stating that the “unfortunate isolated incident” serves as a “reminder that security is not static” and that Ledger, and any other company, should continuously improve their security.
Gauthier added: “Ledger will support affected users in helping to find this bad actor, bring them to justice, track the funds, and work with law enforcement to help recover stolen assets from the hacker.”
More from TechRadar Pro
Services Marketplace – Listings, Bookings & Reviews