Ledger Wallet Kit Security Incident Hack Analysis

Olympix
5 min readDec 26, 2023

--

Ledger Wallet Kit Hack Timeline

Phishing Attack

  • A former Ledger employee falls victim to a phishing attack, granting the attacker access to their NPMJS account.

Malicious Kit Upload

  • The attacker uses the stolen NPMJS credentials to publish a compromised version of the Ledger Connect Kit (versions 1.1.5, 1.1.6, and 1.1.7).
  • This malicious kit contains code redirecting funds to the attacker’s wallet through a rogue WalletConnect project, a software company offering Web3 SDKs that facilitates the connection of cryptocurrency wallets to decentralized applications (dApps) on the web.

Vulnerability Window

  • The compromised kit remains live for approximately 5 hours, creating a window for potential exploitation.
  • Ledger estimates the actual fund-draining activity occurred within a smaller window of less than 2 hours.

Alert and Response

  • Ledger’s security team is alerted to the vulnerability.
  • A fix is deployed within 40 minutes, disabling the malicious code and preventing further exploitation.

Collaboration and Recovery

  • Ledger collaborates with WalletConnect to disable the rogue project associated with the exploit.
  • The genuine Ledger Connect Kit version 1.1.8 is propagated, restoring safe functionality.
  • Ledger coordinates with law enforcement to investigate the incident and track the attacker.
  • Tether freezes the attacker’s USDT funds, potentially mitigating financial damage.

User Communication and Education

  • Ledger issues a public update, informing users about the vulnerability and recommending using version 1.1.8.

Abstract

Ledger, renowned for manufacturing self-custody cryptocurrency hardware wallets, offers the Connect Kit JavaScript library that facilitates the connection of Ledger devices to third-party DApps. Decentralized finance protocols like Lido, Metamask, Coinbase, and Sushi utilize this software to establish connections between dApps and Ledger’s products. On Thursday, a former Ledger employee fell victim to a phishing attack, granting hackers access to their NPMJS account, using which the attackers released a malicious version of the Ledger Connect Kit.

This malicious upgrade allowed hackers to manipulate the functions visible to users, leading them to unintentionally send funds to the attackers instead of their intended wallets.

Ledger made a series of cybersecurity mistakes, as the CTO of SushiSwap mentioned.

The Vulnerability

Sushi’s Chief Technology Officer raised the alarm about a widespread vulnerability connected to Ledger’s Connect Kit, as the decentralized finance (DeFi) protocol fell victim to a front-end exploit.

The Ledger team has officially acknowledged the malicious upgrade of the Ledger Connect Kit Library and took corrective action by replacing the compromised file with an authentic version of the JavaScript library.

The Exploit

Utilizing a rogue WalletConnect project, the hackers redirected funds to a controlled wallet. Within 40 minutes of awareness, Ledger deployed a fix, although the malicious file was live for approximately five hours. However, the actual period of fund drainage was limited to less than two hours, which led to an estimated $600,000 loss by affected users.

A look at one of the hacker wallets using Etherscan

The attackers directly replaced the regular logic for managing the browser window with a Drainer class, introducing a fraudulent Drainer popup. This deceptive popup then worked the transfer logic for different assets. Additionally, the attackers initiated phishing attacks against cryptocurrency users using a Content Delivery Network (CDN).

In this security breach, malicious actors can run unauthorized code with equivalent permissions as the targeted application. This means they can swiftly deplete users’ funds without any required interaction. Additionally, they may deploy various phishing tactics, spreading deceptive links to trick users or taking advantage of users’ anxiety by persuading them to transfer assets to a fraudulent address. This leads to losses due to downloading a counterfeit wallet.

Inferred from a tweet by a Twitter user, 0xSentry, there are suspicions that the attackers left a digital trail implicating the Gmail account of Jun, a former Ledger employee. Ledger may have overlooked revoking access rights for this employee.

Image credit: 0xSentry

The Aftermath

Ledger collaborated with WalletConnect, resulting in the swift disabling of the rogue project and halting of the attack.

Tether’s CTO announced that the organization behind the USDT stablecoin had blacklisted the exploiter’s address which held $400,000 worth of crypto assets, including $40,000 of stolen USDT. Following Tether’s blacklisting of the Ledger exploiter, the attacker proceeded to transfer various ERC-20 tokens, including USDC and stETH, to an externally owned account (EOA). Approximately 60,000 USDC and around 34 stETH were exchanged for ETH, resulting in a total holding of roughly $158,000 in EOA.

Security Advisory for Users

  • Exercise caution and avoid blindly signing unknown transactions. Verify the payload being signed by wallet apps to ensure it follows a recognized pattern.
  • Regularly clear your browser cache to prevent compromised libraries from being fetched from the cache.

Security Advisory for Ledger

Enhanced Phishing Training

Implement robust phishing awareness training for all employees, emphasizing best practices for identifying and avoiding suspicious emails, links, and attachments.

Multi-Factor Authentication (MFA)

Enforce MFA for all employee accounts, especially those with access to critical resources like NPMJS accounts.

Least Privilege Access Control

Implement strict access control policies, ensuring employees only have access to the resources they need for their tasks.

Code Reviews and Audits

Establish rigorous code review and audit processes for all software updates, especially for dependencies and external libraries.

Software Security

Code Signing

Implement code signing practices for Ledger Connect Kit updates to ensure authenticity and prevent tampering.

Dependency Management

Implement secure dependency management practices to identify and mitigate vulnerabilities in external libraries.

Continuous Monitoring

Employ automated security monitoring tools to detect suspicious activity and vulnerabilities in the software and infrastructure.

About Olympix

Olympix is a pioneering DevSecOps tool that puts security in the hands of the developer by proactively securing code from day one.

Join our beta program now to fortify your smart contracts and proactively shield them from cyber threats in the evolving landscape of Web3 security.

Connect with us on

Twitter | LinkedIn | Discord | Medium | Instagram | Telegram | Substack

--

--

Olympix
Olympix

Written by Olympix

The future of web3 security.

No responses yet