In the most recent cybersecurity incident to rock the cryptocurrency sector, Ledger, a prominent hardware wallet-maker based in Paris, fell victim to a hack. The breach involved the compromise of Ledger’s Ledger Connect Kit software, resulting in the unauthorized transfer of hundreds of thousands of dollars from users’ wallets early Thursday.
According to Ledger’s official statement, the exploit originated from a phishing attack that targeted a former employee. The hacker utilized malicious code, exposed through the phishing attack, redirecting user funds to their own wallet during transactions with decentralized applications (dapps) utilizing the affected software. The compromised code remained active for approximately five hours. Ledger swiftly responded by deactivating the malicious code and reassuring users that it was safe to use Ledger Connect Kit after the security update.
Blockaid, a crypto security startup that alerted users about the hack, estimates that between 500 and 1,000 wallets were drained, resulting in the theft of over $500,000 from affected users. Raz Niv, Co-founder and Chief Technology Officer of Blockaid, emphasized that the hack wasn’t specific to Ledger customers; users of various hardware and software wallets from different providers were also impacted.
Niv explained, “It is affecting anyone with a wallet that is connected to a dapp that includes this piece of code,” citing decentralized exchange Sushi and crypto portfolio tracker Zapper among the affected platforms. Despite the removal of the malicious code in the Ledger update, Niv urged caution among crypto users when accessing dapps, as not all platforms may have incorporated the necessary upgrade immediately.
The security breach marks another setback for Ledger, which faced criticism in May for introducing a new security tool that some argued contradicted fundamental crypto principles. Despite the challenges, Ledger secured approximately €100 million ($110 million) in a funding round in March, valuing the company at €1.3 billion.
This incident underscores the persistent threat of security attacks in the cryptocurrency industry, where projects suffered $1.7 billion in losses due to exploits in 2023, according to data from analytics firm TRM Labs. Ido Ben-Natan, Co-founder and Chief Executive Officer of Blockaid, expressed concern about the negative impact of crypto-associated hacks on the industry, stating, “If users continue to feel unsafe while interacting with these kinds of applications, then it’ll disincentivize users from coming in and actually using the space.” The industry remains vigilant in addressing these challenges and fortifying its security measures to maintain user trust and confidence.
