Ledger, a popular cryptocurrency wallet maker, has confirmed that one of its JavaScript libraries was compromised by a malicious code that siphoned off more than $650,000 worth of Bitcoin and Bitcoin Cash from users’ wallets. The incident is the latest in a series of security breaches and scams that have plagued Ledger and its customers since July 2020.
The attack was carried out by injecting a malicious code into a JavaScript library called Connect Kit, which allows decentralized applications (DApps) to interact with Ledger devices. The library was developed by Ledger and published on npm, a repository of open-source JavaScript packages.
According to Ledger, the attacker gained access to the Connect Kit library on December 15, 2023, and replaced it with a malicious version that contained a hidden code that would steal users’ wallet information, including private keys, and send it to a remote server. The attacker then used this information to transfer funds from the compromised wallets to their own addresses.
The malicious code was active for about 24 hours before it was detected and removed by Ledger. During this time, the attacker managed to steal 1,513 Bitcoin Cash (BCH) and 5.039 Bitcoin (BTC), worth over $650,000 at the time of the attack.
Who Was Affected
The attack only affected users who installed or updated the Connect Kit library between December 15 and December 16, 2023, and used it to interact with DApps that required access to their Ledger devices. Ledger estimates that about 9,500 users were potentially exposed to the malicious code, but only a fraction of them actually lost funds.
Ledger has contacted the affected users and advised them to move their remaining funds to new wallets as soon as possible. Ledger has also offered to reimburse the stolen funds to the victims, as a gesture of goodwill and responsibility.
Ledger has also reported the incident to the relevant authorities and is cooperating with the investigation. Ledger has also published a detailed technical analysis of the attack on its website, along with a list of indicators of compromise (IOCs) that can help users identify if they were affected by the attack.
How To Protect Yourself
Ledger has apologized to its customers for the inconvenience and distress caused by the attack and has assured them that it is taking steps to prevent such incidents from happening again. Ledger has also reminded its users to follow some best practices to protect their funds and devices from malicious actors.
Some of these best practices are:
- Always verify the authenticity and integrity of the software and libraries you download from npm or other sources. You can use tools like npm audit or Snyk to check for vulnerabilities and malicious code in your dependencies.
- Always verify the address on your Ledger device before confirming a transaction. Do not rely on the address shown on your computer or mobile screen, as it may be tampered with by malware or phishing websites.
- Always keep your Ledger device updated with the latest firmware and applications. Ledger regularly releases security updates and bug fixes that enhance the performance and security of your device.
- Always use a strong and unique passphrase to protect your Ledger device. A passphrase is an additional word that you can add to your 24-word recovery phrase to create a new set of accounts on your device. A passphrase acts as a second layer of security that can prevent unauthorized access to your funds, even if your recovery phrase is compromised.
- Always be wary of phishing attempts and social engineering attacks that may try to trick you into revealing your personal information, recovery phrase, or passphrase. Ledger will never ask you for these details, nor will it send you unsolicited emails or messages with links or attachments. Do not click on any suspicious links or open any attachments that you receive from unknown sources.
Ledger’s Troubled History
This is not the first time that Ledger has faced security issues and customer complaints. In July 2020, Ledger suffered a data breach that exposed the personal information of over one million customers, including their names, email addresses, phone numbers, and physical addresses. The stolen data was later leaked online and used by scammers to target Ledger customers with phishing emails, phone calls, and even fake hardware wallets.
In November 2020, Ledger was also affected by a supply chain attack that compromised one of its dependencies, the Event-Stream library, which was used by its desktop application, Copay. The attacker injected a malicious code into the Event-Stream library that would steal Bitcoin and Bitcoin Cash funds from Copay users. The attack was discovered and mitigated before it caused any significant damage, but it raised questions about Ledger’s security practices and code review process.
Ledger has faced criticism and backlash from its customers and the crypto community for its handling of these incidents and its lack of transparency and communication. Ledger has acknowledged its mistakes and vowed to improve its security and customer service, but it remains to be seen if it can regain the trust and confidence of its users.