As we reported yesterday. a hacker pulled off an elaborate heist targeting users of popular Web3 apps such as Zapper, SushiSwap, and Phantom, siphoning away approximately $484,000 in crypto funds. The attack focused on Ledger’s Connect Kit, a code library that enables connections between crypto wallets and decentralized apps.
- Ledger’s Connect Kit was compromised in a malicious attack, resulting in approximately $484,000 in stolen funds
- The attacker used a phishing exploit to gain access to a former Ledger employee’s account and insert malicious code
- The malicious code was distributed through apps like Zapper, SushiSwap, and Phantom when they updated to the compromised Connect Kit code
- The malicious code tricked users into approving transactions to the attacker’s address instead of the intended app
- Ledger has now deactivated the malicious code and declared Connect Kit safe to use again, but urges continued diligence in transaction signing
Through a phishing attack, the hacker gained access to a former Ledger employee’s account on the node package manager platform NPMJS. From this vantage point, the attacker inserted malicious code into an update for Ledger’s Connect Kit on GitHub. When vulnerable apps updated to this compromised version of Connect Kit, the malicious code was unknowingly distributed to users’ browsers.
It sounds like today's security incident was the culmination of 3 separate failures at Ledger:
1. Blindly loading code without pinning a specific version and checksum.
2. Not enforcing "2 man rules" around code review and deployment.
3. Not revoking former employee access.
— Jameson Lopp (@lopp) December 14, 2023
The malicious code enabled the hacker to trick users into approving transactions sending funds to the attacker’s wallet rather than the intended app.
According to blockchain security platform Cyvers, the code likely manipulated transaction data, fooling users into confirming payments they didn’t fully understand. For example, a user approving a token payment to enable an app’s functionality may have instead seen an approval for a payment to the hacker’s address.
While the exact techniques used require further analysis, the attack clearly relied on clever social engineering to induce user errors. Ledger and security experts advise continued vigilance when approving crypto transactions, carefully reviewing addresses and details even when an app appears legitimate.
After siphoning nearly half a million in exploits, the hacker evidently decided to call it quits, perhaps fearing growing attention. Ledger was able to deactivate the malicious code, and has now declared Connect Kit safe for use once again.
However, the ease with which such an attack compromised key infrastructure for popular apps sends a sobering warning to the Web3 community.
As the industry continues working diligently to enhance security and transparency around transactions, remembering the human element will be key.