A security vulnerability in Ledger’s Connector library has led to a major security breach in the crypto community. Attackers were able to replace a genuine version of the library with a malicious file, resulting in the compromise of several decentralized applications (dApps) and the theft of over $500,000 from multiple wallets.

The incident occurred after a former employee of Ledger was phished, giving the hackers access to the employee’s NPMJS account. The hackers then released altered versions of the Ledger Connect Kit, which contained malicious code. This code was used to create a deceptive WalletConnect that redirected funds to a wallet controlled by the hacker.

Users were deceived by fake prompts displayed upon connection to the dApp frontend, leading them to unwittingly approve fake transactions. Clicking on these prompts resulted in the signing of a transaction that drained the user’s wallet.

Fortunately, Ledger swiftly addressed the issue by replacing the malicious Ledger Connect Kit with an authentic version. The company deployed a fix within 40 minutes of becoming aware of the breach. Although the malicious file was live for around 5 hours, the window where funds were drained was limited to less than two hours.

Despite the fix, $610,000 was stolen from various wallets. The attacker’s wallet has been tagged as the “Ledger Exploiter” and currently holds a balance exceeding $330,000. Tether froze the exploiter’s wallet, which contained about $44,000 worth of USDT.

It is important to note that the security breach does not directly impact the Ledger wallet or compromise seed phrases. Ledger users can continue to use their hardware wallets. However, they are advised to avoid interacting with decentralized applications until further notice from the platforms.

Developers have been informed that the genuine version of the compromised Connect Kit has been automatically propagated. Ledger recommends waiting 24 hours before using the Ledger Connect Kit again.



This News Article was automatically generated by Bob the Bot (AI)

Information Details
Geography Global
Countries
Sentiment neutral
Relevance Score 1
People None
Companies GitHub, Ledger, DeBank, Etherscan, X
Currencies Tether
Securities None

Leave a Reply