Cybercriminals compromise Ledger crypto wallet in sophisticated supply chain attack

Hackers compromised the code behind a crypto protocol used by multiple web3 applications and services, the software maker Ledger said on Thursday. The company says it has sold six million units of its hardware wallet, and Ledger Live, its software equivalent, is used by 1.5 million users. That would allow the hackers to drain the crypto inside users’ wallets — so long as the users accepted the push to connect their wallets to the malicious Ledger version. ZachXBT, a well-known independent crypto researcher, wrote on X that one victim had more than $600,000 in crypto drained from their account. Several blockchain security researchers, as well as people who work in the web3 industry, warned users on social media of the supply chain hack against Ledger.

Hackers have infiltrated the code of a key crypto protocol utilized by numerous web3 applications and services, according to Ledger, a software company, on Thursday.

Ledger, a popular company that produces both hardware and software wallets for cryptocurrencies, took to X (formerly known as Twitter) to announce that a “malicious version” of its Ledger Connect Kit had been released. This kit is used by decentralized apps (dApps) from other organizations and projects to connect with the Ledger wallet service.

They wrote, “We are currently pushing out a genuine version to replace the malicious file. Please refrain from interacting with any dApps for the time being. We will keep you informed as we continue to handle the situation.”

Shortly after, Ledger posted an update stating that the hackers had substituted the legitimate version of their software approximately six hours earlier. They also mentioned that they were actively investigating the incident and would provide a full report when it was ready.

Upon further inquiry, Ledger declined to comment.

The company stated that they have sold over six million units of their hardware wallet, and their software counterpart, Ledger Live, is used by 1.5 million users. It is believed that the Ledger hardware wallet has not been affected by the hack.

Tal Be’ery, co-founder of ZenGo, a cryptocurrency wallet, told TechCrunch that the hackers released a deceitful version of the software designed to deceive users into connecting their wallets and funds to the malicious version.

Contact Us

If you have any additional information regarding this hack, we would greatly appreciate hearing from you. Please reach out to Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire using the username @lorenzofb, or email You can also contact TechCrunch via SecureDrop.

This would have allowed the hackers to withdraw the cryptocurrency from users’ wallets, as long as they accepted the push to connect their wallets to the malicious Ledger version.

The extent of the damage is still unclear. ZachXBT, a well-known independent crypto researcher, stated on X that one user had over $600,000 drained from their account.

Various blockchain security experts, as well as individuals in the web3 industry, cautioned users on social media about the supply chain hack on Ledger.

Matthew Lilley, CTO of cryptocurrency trading platform Sushi, was one of the first to detect the attack and disseminate the news.

“@Ledger, you may want to take a closer look at this… Suspicious code is loading from here.” @MatthewLilley

Joseph Delong, CTO of NFT lending platform AstariaXYZ, joked on X, “I would suggest avoiding any [decentralized apps] in the future, and just move on with your life.” This comment referred to Ledger’s use of the notoriously unsecure programming language, Java.

Avatar photo
Zara Khan

Zara Khan is a seasoned investigative journalist with a focus on social justice issues. She has won numerous awards for her groundbreaking reporting and has a reputation for fearlessly exposing wrongdoing.

Articles: 847

Leave a Reply

Your email address will not be published. Required fields are marked *