Ledger’s boss Pascal Gauthier explained the incident. But questions arise because Ledger is renowned for its security expertise.
This Thursday, December 14th crypto company Ledger faced a security breach on its Ledger Connect Kit, a Javascript library that allows users to connect decentralized applications to their crypto wallets. We remind you that decentralized finance (DeFi) is an open financial system accessible to any user that enables some traditional financial operations such as loans.
This incident occurred because a former Ledger employee “became the victim of a phishing attack that allowed a hacker to access his NPMJS (package manager for Javascript code shared between applications) account,” explained Ledger CEO Pascal Gauthier. “A hacker released a malicious version of the Ledger Connect Kit. The malicious code used the WalletConnect scam project to divert funds to the hacker’s wallet,” it said.
The company says it “eliminated and disabled” the malicious code 40 minutes after it was identified. However, the malicious file was able to embezzle the user’s funds for approximately two hours. According to renowned blockchain investigator ZachXBT, more than $610,000 has already been stolen due to this bug. When asked by BFM Crypto about the amount stolen so far, Ledger did not respond to our requests.
Filing a complaint
How could a French unicorn, internationally recognized as a security specialist, suffer such an incident? At Ledger, “the security standard states that no one person can deploy code without multiple parties reviewing it, which is the practice in 99% of our internal systems. In addition, any employee who leaves the company will have their access revoked from all Ledger systems”, we can read. This is an “unfortunate and isolated incident”, the company said, promising to implement improved security controls.
Ledger has filed a complaint, so he’s not going to stop there. “We will support affected users by identifying the malicious actor, bringing them to justice, tracing funds and working with law enforcement to recover stolen assets,” the company said. While the investigation is ongoing, users can safely revert to Ledger Connect Kit version 1.1.8.
Founded in 2014, Ledger specializes in the design of so-called “non-custodial” cryptowallets, which allow users to be masters of their private keys (for cryptocurrencies), unlike “custodial” wallets (often offered by centralized exchange platforms, e.g. such as Binance and Coinbase). Ledger claims to have sold a total of 6.5 million crypto wallets and serves 100 corporate clients. It ensures that 20% of all cryptocurrency assets and 30% of NFTs worldwide are secured.