Hackers have infiltrated the code of a key crypto protocol utilized by numerous web3 applications and services, according to Ledger, a software company, on Thursday.
Ledger, a popular company that produces both hardware and software wallets for cryptocurrencies, took to X (formerly known as Twitter) to announce that a “malicious version” of its Ledger Connect Kit had been released. This kit is used by decentralized apps (dApps) from other organizations and projects to connect with the Ledger wallet service.
They wrote, “We are currently pushing out a genuine version to replace the malicious file. Please refrain from interacting with any dApps for the time being. We will keep you informed as we continue to handle the situation.”
Shortly after, Ledger posted an update stating that the hackers had substituted the legitimate version of their software approximately six hours earlier. They also mentioned that they were actively investigating the incident and would provide a full report when it was ready.
Upon further inquiry, Ledger declined to comment.
The company stated that they have sold over six million units of their hardware wallet, and their software counterpart, Ledger Live, is used by 1.5 million users. It is believed that the Ledger hardware wallet has not been affected by the hack.
Tal Be’ery, co-founder of ZenGo, a cryptocurrency wallet, told TechCrunch that the hackers released a deceitful version of the software designed to deceive users into connecting their wallets and funds to the malicious version.
Contact Us
If you have any additional information regarding this hack, we would greatly appreciate hearing from you. Please reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire using the username @lorenzofb, or email lorenzo@techcrunch.com. You can also contact TechCrunch via SecureDrop.
This would have allowed the hackers to withdraw the cryptocurrency from users’ wallets, as long as they accepted the push to connect their wallets to the malicious Ledger version.
The extent of the damage is still unclear. ZachXBT, a well-known independent crypto researcher, stated on X that one user had over $600,000 drained from their account.
Various blockchain security experts, as well as individuals in the web3 industry, cautioned users on social media about the supply chain hack on Ledger.
Matthew Lilley, CTO of cryptocurrency trading platform Sushi, was one of the first to detect the attack and disseminate the news.
“@Ledger, you may want to take a closer look at this… Suspicious code is loading from here.” @MatthewLilley
Joseph Delong, CTO of NFT lending platform AstariaXYZ, joked on X, “I would suggest avoiding any [decentralized apps] in the future, and just move on with your life.” This comment referred to Ledger’s use of the notoriously unsecure programming language, Java.