- The R Roundup
- Posts
- RRUPDATES📍: Inside The Ledger Connect Breach: Web 3 Apps Lose $484,000 In Sophisticated Attack😳
RRUPDATES📍: Inside The Ledger Connect Breach: Web 3 Apps Lose $484,000 In Sophisticated Attack😳
In a meticulously executed breach on December 14, the 'Ledger hacker' pilfered a minimum of $484,000 from various Web3 applications by manipulating users into unknowingly authorizing malicious token approvals, as reported by blockchain security platform Cyvers.
The R Roundup
December 14, 2023
RRUPDATES📍: Inside The Ledger Connect Breach: Web 3 Apps Lose $484,000 In Sophisticated Attack😳
In a meticulously executed breach on December 14, the 'Ledger hacker' pilfered a minimum of $484,000 from various Web3 applications by manipulating users into unknowingly authorizing malicious token approvals, as reported by blockchain security platform Cyvers.
The attacker gained unauthorized access by exploiting a phishing vulnerability in the computer of a former Ledger employee, compromising their node package manager javascript (NPMJS) account. Subsequently, the malevolent actor uploaded a malicious update to Ledger Connect's GitHub repository, a widely used package in Web3 applications.
🚨We have identified and removed a malicious version of the Ledger Connect Kit. 🚨
A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves.
Your Ledger device and… twitter.com/i/web/status/1…
— Ledger (@Ledger)
Dec 14, 2023
Users unwittingly upgraded to the tainted version, causing several Web3 apps, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, to distribute the malicious code to users' browsers. The successful exploitation resulted in the unauthorized transfer of at least $484,000 from users of these compromised apps, with concerns about potential broader ramifications across the Ethereum Virtual Machine (EVM) ecosystem.
Cyvers CEO Deddy Lavid, CTO Meir Dolev, and blockchain analyst Hakal Unal provided insights into the attack's intricacies. The assailant deployed malicious code to present confusing transaction data in users' wallets, leading them to unwittingly authorize transactions they did not intend.
Developers commonly use open-source "connect kits" to streamline interactions between Web3 apps and users' wallets. Ledger's connect kit, a favored choice, was installed through Node Package Manager (NPM). Exploiting this convenience, the attacker injected malicious code into the Ledger Connect Kit, allowing manipulation of transactions sent to users' wallets.
The malicious code altered transaction details, convincing users to issue unintentional approvals for token contracts. Instances were identified where victims made substantial token approvals to the malicious contract.
Since then Ledger has confirmed that the issue is now fully propagated.
UPDATE: The genuine Ledger Connect Kit 1.1.8 is now fully propagated. Ledger and WalletConnect can confirm that the malicious code was deactivated. You are now safe to use your Ledger Connect Kit. Reminder that that we always encourage clear signing. twitter.com/i/web/status/1…
— Ledger (@Ledger)
Dec 14, 2023
Preventing such attacks proves challenging as wallets often lack clarity in transaction approval prompts. The Cyvers team suggests vigilant evaluation of each transaction confirmation message during app usage. However, this may not suffice if transactions are presented in intricate or confusing code.
Crypto has since shown its resilience with the total marketcap rising 1.5% despite an initial dip upon the news breaking.
As a reminder, this is not a trading signal or investment advice; it is an opinion, and each trader/investor should know and understand the risks of trading cryptocurrencies.
This should not be regarded as financial advice; feel free to familiarise yourself with our NFA disclaimer.
Join the conversation