Supply chain attack targeting Ledger crypto wallet leaves users hacked


Hackers compromised the code behind a crypto protocol used by multiple web3 applications and services, the software maker Ledger said on Thursday.

Ledger, a company that makes a widely used and popular crypto hardware and software wallet, among other products, announced on X (previously Twitter) that someone had pushed out a “malicious version” of its Ledger Connect Kit, a library that decentralized apps (dApps) made by other companies and projects use to connect to the Ledger wallet service.

“A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,” Ledger wrote.

Soon after, Ledger posted an update saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would “provide a comprehensive report as soon as it’s ready.”

After this story was published, Ledger spokesperson Phillip Costigan shared more details about the hack with TechCrunch and on X. Costigan said that a former Ledger employee was victim of a phishing attack on Thursday, which gave the hackers access to their former employee’s NPMJS account, which is a software registry that was acquired by GitHub. From there, the hackers published a malicious version of the Ledger Connect Kit.

“The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,” Costigan said.

Then, Ledger deployed a fix within 40 minutes of the company becoming aware of the hack. The malicious file, however, was live for around five hours, but “the window where funds were drained was limited to a period of less than two hours,” according to Costigan.

Ledger also “coordinated” with WalletConnect, which “quickly disabled the the rogue project,” essentially stopping the attack, according to Costigan.

Costigan also said Ledger pushed out a genuine software update that is “safe to use.”

“We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time,” the spokesperson said, adding that the company believes it has identified the hackers’ wallet.

The company says it has sold six million units of its hardware wallet, and Ledger Live, its software equivalent, is used by 1.5 million users. The Ledger hardware wallet is not believed to be affected by the hack.

Tal Be’ery, the co-founder of crypto wallet Zengo, told TechCrunch that the hackers essentially pushed out a malicious version of the software that was designed to trick users into connecting their wallets and assets to the malicious version of the software.

That would allow the hackers to drain the crypto inside users’ wallets — so long as the users accepted the push to connect their wallets to the malicious Ledger version.

It’s not immediately clear how many people fell victim to the hack. ZachXBT, a well-known independent crypto researcher, wrote on X that the hackers stole more than $600,000 in crypto during the attack.

Several blockchain security researchers, as well as people who work in the web3 industry, warned users on social media of the supply chain hack against Ledger.

Matthew Lilley, the chief technology officer of cryptocurrency trading platform Sushi, was one of the first ones to detect the attack and share the news.

“I would recommend never interacting with a [decentralized app] ever again and honestly just move on with your life,” said Joseph Delong, the CTO of NFT lending platform AstariaXYZ, joked on X, referring to the fact that Ledger uses the notoriously insecure programming language JavaScript.

Source : TechChrunch / Dec 14, 2023 logo


240 rue Evariste Galois,

06410 Biot,

Sophia Antipolis

Automata Pay

65-66 Warwick House 4th

Floor, Queen Street, London

England, EC4R 1EB

Automata Pay Europe Ltd

3rd Floor Ormond Building,

31-36 Ormond Quay Upper,

Dublin 7, D07 Ee37

Automata ICO Ltd

Italian Branch

Via Archimede, 161,

00197 Roma


The purchase of digital assets is subject to a high market risk and price volatility. Changes in value can be significant and occur rapidly and without warning. Past performance is not a reliable indicator of future performance. The value of an investment and returns can fluctuate both up and down, and you may not recover the amount you invested. RISK WARNING

Automata ICO Limited has a branch in Italy with its registered office at Via Archimede, 161, Roma, Italy, and registered in Italy under number 96550860587 with the Organismo Agenti e Mediatori (OAM) as a Virtual Asset Service Provider (VASP).

Automata France SAS is a company registered in France with the company number 902 498 617. Automata FRANCE SAS is registered with the french Financial Market Authority, l’Autorité des marchés financiers (“AMF”), as a provider of Virtual Asset Service Provider under number E2023-087.

Automata Pay Europe Limited is a partner of Modulr Finance B.V., a company registered in the Netherlands with company number 81852401, which is authorised and regulated by the Dutch Central Bank (DNB) as an Electronic Money Institution (Firm Reference Number: R182870) for the issuance of electronic money and payment services. Your account and related payment services are provided by Modulr Finance B.V. Your funds will be held in one or more segregated accounts and safeguarded in line with the Financial Supervision Act. How we keep your money safe.