Crypto Crack: Malicious Code Lurks in Ledger dApps, Drains Millions

dApps supply chain attack

Ledger, a renowned manufacturer of hardware cryptocurrency wallets, has cautioned its clients about the risks associated with using dApps (decentralized applications), due to a detected supply chain attack.

Malefactors infiltrated malicious JavaScript code into the Ledger dApp Connect Kit library, enabling web3 applications to interact with Ledger wallets. This code clandestinely expropriated cryptocurrencies and NFTs from accounts connected to the service.

According to the company, the issue was discovered on the morning of December 14, following a phishing attack on Ledger’s account on the NPMJS resource. Unknown assailants published a malicious version of the Connect Kit, affecting versions 1.1.5, 1.1.6, and 1.1.7.

The nefarious JavaScript exploited a vulnerability in the third-party Wallet Connect library to redirect user funds to the hackers’ accounts. Developers promptly eradicated the compromised versions of the Connect Kit and urgently released a new one – version 1.1.8.

However, the peril persists for third-party dApps still operating on older versions. Users are advised to refrain from using these applications until the issue is resolved.

Ledger assures that its core software and hardware were unharmed. The functionality of the company’s most popular products, Ledger Live, and the hardware cryptocurrency wallets themselves remained intact.

Nonetheless, the company warned of an intensification of phishing attacks. Users are urged to remain vigilant and under no circumstances divulge their 24-word secret phrase to malefactors.

Blockchain company SlowMist reported that the compromise of the Ledger library began as early as version 1.1.5, where criminals added a text message as a test.

In versions 1.1.6 and 1.1.7, well-disguised malicious JavaScript was present. Analysis of this script revealed that it also attempted to steal cryptocurrency and NFTs from services like Coinbase, Trust Wallet, and MetaMask.

The investigation into the incident is ongoing. The extent of the damage is yet to be determined, though there have been reports of thefts amounting to approximately $680,000. Ledger has already provided the wallet addresses of the culprits, and Tether’s team has frozen a portion of the stolen funds in USDT.