On Dec. 14, Ledger, a hardware wallet provider for cryptocurrencies, experienced a security breach that affected Ethereum-based applications like Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash. The breach was traced back to a phishing scam targeting a former Ledger employee, which led to unauthorized access to the company's JavaScript connector library. This compromised library, used to facilitate interactions between Ledger hardware wallets and DApps, resulted in a financial loss initially estimated at $484,000.
Ledger is now working on enhancing its security controls, but the incident holds potential risks for the broader Ethereum Virtual Machine (EVM) ecosystem. Additionally, the decentralized exchange OKX suffered an exploit earlier this week, potentially related to a private key leak, causing around $2.7 million in damages. Investigations are ongoing in both cases.
Hackers Hit Their Next Target: Ledger
Multiple Ethereum -based applications including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were compromised early Thursday due to a Ledger security breach. In a recent blog post, Ledger CEO and Chairman Pascal Gauthier addressed a security breach that happened on Dec. 14, reassuring customers that the incident was an "isolated incident." Gauthier also highlighted that the company is working with law enforcement to find the person responsible and to ensure justice is served.
The breach targeted Ledger's Javascript connector library and had a limited impact after being deactivated within 40 minutes of its discovery. The breach only affected third-party decentralized applications (DApps) and Ledger's hardware. The Ledger Live platform remained unaffected. Initially estimated at $484,000, the total financial impact of the hack was later revised by Web3 security service Blockaid to $504,000.
According to Gauthier, the breach was made possible because a former employee had fallen victim to a phishing scam. The employee's identity was apparently left behind in the hacked code.
Considering its recent breach, Ledger is taking proactive steps to strengthen its security infrastructure. Gauthier announced plans to implement stronger security controls, including connecting the company's build pipeline to enforce strict software supply chain security in the NPM distribution channel.
Whole EVM Ecosystem Could be Affected
The recent security breach targeting Ledger's connector library could have much broader implications for the entire Ethereum Virtual Machine (EVM) ecosystem, as noted by the Linea team, a zero-knowledge rollup project affiliated with ConsenSys. The attacker specifically focused on the Ledger connector library, a crucial component designed to facilitate communication between Ledger hardware wallets and a variety of DApps.
This incident also had repercussions for MetaMask , a popular wallet provider in the crypto space. However, MetaMask took swift action to address the issue by deploying an update for its MetaMask Portfolio. They have advised users to activate the Blockaid feature within the MetaMask Extension before conducting any transactions on MetaMask Portfolio.
Ledger relies heavily on its connector library to enable interactions between Ledger hardware and DApps. The compromise of this library could potentially impact a very large number of EVM users and transactions.
How Did This Happen?
The attacker employed a phishing exploit to compromise the computer of a former Ledger employee, gaining unauthorized access to the employee's Node Package Manager JavaScript (NPMJS) account. Once inside, they proceeded to upload a malicious update onto Ledger Connect's GitHub repository, with Ledger Connect being a widely-used package in the realm of Web3 applications.
As a result of this, some Web3 applications upgraded to this tainted version, inadvertently distributing the malicious code to their users' web browsers. This led to the attacker getting away with at least $484,000 from the users of these compromised applications.
Cyvers' CEO Deddy Lavid, Chief Technology Officer Meir Dolev, and Blockchain Analyst Hakal Unal provided further insight into the attack's potential mechanics. According to their analysis, it's likely that the attacker utilized malicious code to present misleading transaction information in users' wallets, tricking them into approving unintended transactions.
The malicious code possibly inserted into the Ledger Connect Kit could have allowed the attacker to manipulate the transactions sent to the user's wallet. For instance, during the use of an app, users often need to grant approvals to token contracts, permitting the app to spend tokens from their wallet.
The malicious code may have caused the user's wallet to display a token approval request, but with the attacker's address instead of the app's. Alternatively, it could have presented a confusing confirmation dialogue containing intricate code, leading users to inadvertently click "confirm" without fully understanding all of the transaction details.
Blockchain data corroborates these suspicions, showing that victims of the attack granted substantial token approvals to the malicious contract. For example, in a single transaction, the attacker drained over $10,000 from the Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7. The transaction log reveals that the user approved a very large amount of USDC to be spent by the malicious contract.
OKX Dex Also Hacked
Ledger is not the only crypto project that was targeted this week On Wednesday, an exploit was confirmed to have impacted the decentralized exchange (DEX) OKX , as reported by the blockchain security firm SlowMist. It is suspected that this exploit originated from a private key leak that was exploited against a deprecated smart contract.
OKX has acknowledged the exploit and announced its commitment to reimburse users who were affected. The total damage caused by this exploit is estimated to be around $2.7 million, although this figure may increase as further investigations unfold. The platform has also revealed that they are collaborating with relevant authorities to trace and recover the stolen funds.
Following the attack, the blockchain analytics firm Arkham initiated an Intel Exchange Bounty. This bounty offers a reward to anyone who can help find the person or organization responsible for the exploit. Arkham alleges that the same hacker or group may have been involved in recent exploits on platforms like LunaFi, Uno Re, RVLT, and others, although specific details about the suspect's level of involvement in these incidents still remain limited. The Arkham bounty amounts to about 5,000 ARKM, which is approximately equivalent to $2,250.
