Supply Chain Attack Targeting Ledger Crypto Wallet Leaves Users Hacked (techcrunch.com) 17
An anonymous reader quotes a report from TechCrunch: Hackers compromised the code behind a crypto protocol used by multiple web3 applications and services, the software maker Ledger said on Thursday. Ledger, a company that makes a widely used and popular crypto hardware and software wallet, among other products, announced on X (previously Twitter) that someone had pushed out a "malicious version" of its Ledger Connect Kit, a library that decentralized apps (dApps) made by other companies and projects use to connect to the Ledger wallet service.
"A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves," Ledger wrote. Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would "provide a comprehensive report as soon as it's ready." After this story was published, Ledger spokesperson Phillip Costigan shared more details about the hack with TechCrunch and on X.
Costigan said that a former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee's NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Costigan said. Then, Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for round 5 hours, but "the window where funds were drained was limited to a period of less than two hours," according to Costigan. Ledger also "coordinated" with WalletConnect which "quickly disabled the the rogue project," essentially stopping the attack, according to Costigan. Costigan also said Ledger pushed out a genuine software update that is "safe to use." "We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time," the Ledger spokeperson said, adding that the company believes it has identified the hackers' wallet.
"A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves," Ledger wrote. Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would "provide a comprehensive report as soon as it's ready." After this story was published, Ledger spokesperson Phillip Costigan shared more details about the hack with TechCrunch and on X.
Costigan said that a former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee's NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet," Costigan said. Then, Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for round 5 hours, but "the window where funds were drained was limited to a period of less than two hours," according to Costigan. Ledger also "coordinated" with WalletConnect which "quickly disabled the the rogue project," essentially stopping the attack, according to Costigan. Costigan also said Ledger pushed out a genuine software update that is "safe to use." "We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time," the Ledger spokeperson said, adding that the company believes it has identified the hackers' wallet.
Wow (Score:3, Funny)
Good thing their money was safely invested as crypto.
Re: (Score:2)
Crypto = Crapto
Re: Wow (Score:2)
Thankfully it's a completely distributed system, where everyone bosses their own wallets and nothing is lost. Right? /s
fuck yeah (Score:1)
Unregulated digital money managed by inexperienced people. Where do I sign up?
Former Employee? (Score:1)
Re: (Score:2)
This is so much better than traditional banking! (Score:2, Troll)
Not only can I buy illegal guns, illegal drugs, and child porn while funding terrorists and autocracies, I can also lose all my money in a hack. Crypto just gets better and better!
Re: (Score:2)
Fucks Loading... Please Wait.. (Score:1)
So, the ignorant children who thought they would "stick it to the man and big, bad goobermint" are continuing to have their money taken from them because they're ignorant, spiteful children?
Am I missing something here? Why do we care? *This is exactly what they signed up for.* So what's the fucking problem? Maybe next time don't put your money somewhere that everyone else already knows is a bullshit scam?
Let them suffer, wither, and die. We need some examples of stupidity being dangerous and HAVING CONSEQUE
Stupid games win stupid prizes. (Score:1)
Good (Score:1)
But they said Crypto wallets were secure.... (Score:2)
Misleading title (Score:1)