Very bad weekend for Ledger. The French unicorn producing physical wallets for storing crypto-assets was the victim of a computer attack which allegedly led to the theft of the equivalent of around $610,000, according to the findings of the specialist in blockchain investigations ZachXBT.
A hack that took place in a few hours. According to Ledger, on Thursday morning, a former employee, apparently a developer, was the victim of a phishing attack. The theft of credentials allowed the hacker to access his npmJS account, a package manager for JavaScript. Which then allowed him to publish a malicious version of Ledger’s ConnectKit, this library which allows decentralized applications to be connected to crypto wallets.
Complaint in progress
“A solution was deployed 40 minutes after Ledger became aware of the situation,” the company said. The malicious file remained online for approximately five hours, but we believe the time period during which funds were stolen was limited to less than two hours.”
The open source protocol WalletConnect also specified that it had deactivated the project which would have been used by the hacker to steal crypto-assets. The wallet receiving the funds, identified by crypto investigation firm Chainalysis, was reportedly frozen by Tether, while a complaint is to be filed by Ledger.
“Isolated incident”
“This is an unfortunate isolated incident,” argued Ledger boss Pascal Gauthier in a blog post. The company manager thus recalls that in 99% of cases, it is impossible for a single person to deploy code without the validation of a third party, which was nevertheless the case in this theft. To improve its security, Ledger plans that its developers will no longer be able to publish directly to the npm package, while access to its GitHub repository has been reviewed.
But as the specialist media Decrypt reports, criticism has been strong against Ledger. Matthew Lilley, the technical director of SushiSwap, point “terrible mistakes”. “I updated my Ledger”, ironise another Internet user, by publishing the photo of a key which has just been destroyed.
Ledger products are regularly targeted by malicious hackers. Last month, a fake Ledger app published on the Microsoft App Store had enabled the theft of the equivalent of several hundred thousand euros. The firm was finally the victim of a major data leak in 2020.