Ledger announces fix for connector compromise that drained crypto wallets

Ledger, a leading manufacturer of hardware wallets for storing cryptocurrencies, has announced that it has fixed a security vulnerability that allowed hackers to steal crypto assets from unsuspecting users. The vulnerability, which was discovered on December 14, 2023, affected Ledger’s open source package called @ledgerhq/connect-kit, which is used by developers to integrate Ledger devices with web3 applications.

According to Ledger, the hackers managed to inject malicious code into the connect-kit package, which enabled them to replace the user’s intended recipient address with their own address during a transaction. This way, the hackers were able to divert the funds to their own wallets, without the user noticing. Ledger estimates that the hackers stole around $484,000 worth of crypto assets across 500 to 1,000 wallets1.

Ledger announces fix for connector compromise that drained crypto wallets

Ledger has since removed the compromised versions of the connect-kit package and released a new version (1.1.8) that fixes the issue. Ledger also advises users to update their Ledger Live application to the latest version (2.35.2) and to always verify the recipient address on their Ledger device before confirming a transaction. Ledger says that it is working with law enforcement authorities and blockchain analysis firms to track down the hackers and recover the stolen funds2.

The connect-kit compromise is the latest in a series of security breaches that have plagued Ledger and its customers. In July 2020, Ledger’s e-commerce partner Shopify was hacked, resulting in the leak of personal information of about 272,000 Ledger customers, including email addresses, names, and postal addresses. The leaked data was later dumped on a website called Raidforums, exposing Ledger customers to phishing scams and other threats3.

Ledger has faced criticism from the crypto community for its handling of the security incidents and its lack of transparency and communication with its customers. Some users have also reported receiving unwanted tokens and NFTs from scammers, which Ledger calls “address poisoning”. Ledger warns users not to click on any links or interact with any suspicious transactions, and to hide any unwanted tokens or NFTs in Ledger Live4.

Despite the security challenges, Ledger remains one of the most popular and trusted brands in the crypto hardware wallet market, with over 3 million devices sold worldwide. Ledger claims that its devices are still safe and secure, and that its software is constantly being audited and improved. Ledger also says that it has hired a new Chief Information Security Officer (CISO) and conducted a series of penetration tests to enhance its security3.

Ledger announces fix for connector compromise that drained crypto wallets

Ledger Security Breach

In a recent development, Ledger, a leading manufacturer of hardware wallets for storing cryptocurrencies, has faced a significant security breach that has raised concerns among its users. The breach, involving a vulnerability in Ledger’s open source package called @ledgerhq/connect-kit, allowed hackers to steal crypto assets from unsuspecting users. This article aims to delve into the details of the incident, Ledger’s response, and the broader implications for the crypto community.

The Connect-Kit Compromise

The security vulnerability, discovered on December 14, 2023, enabled hackers to inject malicious code into the connect-kit package. This code manipulation allowed them to replace the user’s intended recipient address with their own during a transaction, diverting funds to their wallets without the user’s knowledge. Ledger estimates that approximately $484,000 worth of crypto assets were stolen across 500 to 1,000 wallets.

Ledger’s Response

Ledger promptly removed the compromised versions of the connect-kit package and released a new version (1.1.8) to address the security issue. The company also advises users to update their Ledger Live application to the latest version (2.35.2) and to always verify the recipient address on their Ledger device before confirming a transaction. Additionally, Ledger is collaborating with law enforcement authorities and blockchain analysis firms to track down the hackers and recover the stolen funds.

Previous Security Incidents

This incident is not the first time Ledger has faced security challenges. In July 2020, a hack of Ledger’s e-commerce partner Shopify led to the leakage of personal information of about 272,000 Ledger customers. This exposed customers to phishing scams and other threats, raising concerns about Ledger’s overall security infrastructure.

Criticism and Transparency Issues

Ledger has received criticism from the crypto community for its handling of security incidents and perceived lack of transparency and communication with its customers. The leak of personal information in 2020 and the recent connect-kit compromise have contributed to doubts about Ledger’s commitment to user security.

Ledger announces fix for connector compromise that drained crypto wallets

Address Poisoning and Unwanted Tokens

Some users have reported receiving unwanted tokens and NFTs from scammers, a phenomenon Ledger refers to as “address poisoning.” To mitigate this, Ledger warns users not to click on any links or interact with suspicious transactions and advises hiding any unwanted tokens or NFTs in Ledger Live.

Ledger’s Market Standing

Despite these security challenges, Ledger remains one of the most popular and trusted brands in the crypto hardware wallet market, with over 3 million devices sold worldwide. The company asserts that its devices are still safe and secure, emphasizing continuous software audits and improvements. Additionally, Ledger has hired a new Chief Information Security Officer (CISO) and conducted penetration tests to enhance its security.

Conclusion

The recent connect-kit compromise highlights the ongoing challenges in securing cryptocurrency assets and the importance of robust security measures in the crypto industry. Ledger’s response and future actions will likely play a crucial role in restoring user confidence and maintaining its position in the market.


Summarizing the Information

AspectDetails
Incident DateDecember 14, 2023
Vulnerability@ledgerhq/connect-kit
Stolen AmountApproximately $484,000 worth of crypto assets
Ledger’s ResponseRemoval of compromised connect-kit versions, release of a new version (1.1.8), and user advisories
Collaboration EffortsWorking with law enforcement and blockchain analysis firms to track down hackers
Previous IncidentsJuly 2020: Shopify hack leading to leakage of customer information
User CriticismConcerns about transparency, communication, and overall security measures
Address PoisoningUsers receiving unwanted tokens and NFTs (address poisoning)
Market StandingOver 3 million devices sold worldwide, emphasis on ongoing security measures
Chief Information Security OfficerHiring a new CISO to strengthen security

FAQ

1. What is Ledger’s connect-kit package?

Ledger’s connect-kit package is an open source package used by developers to integrate Ledger devices with web3 applications.

2. How did the recent security vulnerability occur?

The vulnerability involved hackers injecting malicious code into the connect-kit package, allowing them to replace user-intended recipient addresses during transactions.

3. How much crypto assets were estimated to be stolen in the recent incident?

Ledger estimates that approximately $484,000 worth of crypto assets were stolen across 500 to 1,000 wallets.

4. How did Ledger respond to the security breach?

Ledger promptly removed compromised connect-kit versions, released a new version (1.1.8), and advised users to update their Ledger Live application.

5. What collaboration efforts are being made to address the breach?

Ledger is working with law enforcement authorities and blockchain analysis firms to track down the hackers and recover stolen funds.

6. What previous security incidents has Ledger faced?

In July 2020, Ledger’s e-commerce partner Shopify was hacked, leading to the leakage of personal information of about 272,000 Ledger customers.

7. How does Ledger address concerns about transparency and communication?

Ledger has faced criticism for its handling of security incidents; however, the company emphasizes continuous improvement and has hired a new Chief Information Security Officer (CISO).

Related articles

Revolutionary AI Tool Sora Transforms Text to Videos

Futuristic AI tool Sora revolutionizes content creation by magically transforming text into captivating videos, sparking a wave of curiosity and intrigue.

OpenAI Unveils Revolutionary Video Model: Sora

Innovative video model Sora by OpenAI revolutionizes text-to-video generation, sparking curiosity about its game-changing implications in content creation.

OpenAI Introduces Sora: A Breakthrough in Text-to-Video Generation

Sora: A Breakthrough in Text-to-Video GenerationOpenAI has unveiled...

Farm3D Review, Details, Pricing, Features, Pros & Cons 2024

Farm3DLearning Articulated 3D Animals by Distilling 2D Diffusion

Try Ultra 1.0 and New Mobile App Today: Bard Becomes Gemini

If you're a fan of Google's chatbot, Bard, you'll...

Case Studies

Content & copywriting

Compass Music Platform

Overview: In response to the growing need for a centralized platform connecting musicians with potential clients and fans, our team developed a bespoke music...
Content & copywriting

NewsWeek Magazine

Project Overview:In collaboration with a prestigious news magazine known for its compelling journalism and high editorial standards, we designed and developed a custom eMagazine...
E-commerce development

Beauty & Makeup Shop

Project Overview:We collaborated with a prominent beauty retailer to create a custom eCommerce website designed to transform their online presence and boost their sales...