In another major security breach, unknown malicious actors attacked Ledger, the popular hardware wallet provider, aiming to exploit its LedgerConnect kit. Blockaid, a platform aimed at protecting web3 users, was the first to report the attack.
Supply Chain Attack Targets Ledger Connector
Taking X on December 14, Blockaid saying The attackers successfully injected a “wallet-depleting payload” into the NPM package. Once the payload spread, attackers hijacked the interface of multiple apps, including Sushi, Hey, and Zapper, crippling operations and allegedly making off with assets worth hundreds of thousands of dollars.
The attack was not directed at any dapp or blockchain like Solana or ethereum, for example. Instead, hackers wanted to exploit all protocols whose users, in one way or another, used the LedgerConnect kit to manage or transfer assets.
To understand how the hack was executed, the hackers expressly targeted Ledger's NPM. The connector is crucial in how off-chain Ledger wallet customers can connect and securely manage their assets online.
While it provides a means to access wallets, NPM is also an interface. Through this portal, developers can integrate Ledger hardware wallets into applications. In this case, Ledger users can safely participate in non-fungible tokens (nft), decentralized finance (DeFi), and other activities.
Since this attack aimed to exploit critical Ledger infrastructure that could affect all protocols regardless of the blockchain, analysts now say that these actors successfully executed a “supply chain attack.” In supply chain attacks against DeFi protocols, hackers can target a trusted service provider, primarily a wallet provider or an exchange, to steal funds.
Ledger responds: more than $480,000 stolen
Wintermute head of research Igor Igamberdiev reported that a malware-infected script was uploaded to Ledger's NPM log at 9:44 am UTC. However, Ledger has since answeredsaying that they removed the malicious file and replaced it with a genuine version about four hours after the script was uploaded around 1:35 pm UTC.
Ledger also reminded users to be vigilant before closing their transactions, emphasizing that all addresses and information displayed on its interface are the “only reliable sources of information.” Previously, the hardware maker assured customers that their devices were not compromised.
Despite these assurances, Lookonchain, a blockchain analytics platform, saying Assets worth more than $480,000 were stolen before Ledger fixed the error.
To further reinforce ZachXBT's statement, Paolo Ardoino, CEO of Tether, the issuer of USDT, took to X, saying that the platform had blocked Ledger Exploiter's address.
Featured image from Canva, TradingView chart
