Ledger CEO Addresses Community After $484,000 Crypto Exploit

In a recent security incident, Ledger, the popular hardware wallet manufacturer, faced an exploit on its Ledger Connect Kit. Ledger CEO Pascal Gauthier issued a statement recently, shedding light on the incident and the immediate actions taken to mitigate the exploit.

The hacker stole over $484,000 worth of cryptocurrencies. The exploiter was also moving ETH to Angel Drainer, according to on-chain analyst Lookonchain. The address currently holds assets worth $133k.

Key Points:

• The exploit specifically targeted Ledger Connect Kit, affecting third-party DApps that utilized the library.
• Ledger is actively investigating the incident, having filed complaints related to the exploit.
• The exploit did not impact the integrity of Ledger hardware or Ledger Live. The vulnerability was confined to third-party DApps using the Ledger Connect Kit.

Read more: SushiSwap And Other DApps Exploited Through Ledger Connect Vulnerability

Ledger CEO issues statement

Pascal Gauthier attributed the exploit to a former employee falling victim to a phishing attack, allowing a malicious file upload to Ledger’s NPMJS. He emphasized the swift collaborative response with WalletConnect, removing the malicious code within 40 minutes.

Gauthier outlined Ledger’s standard security practices, including code deployment reviews, strict access controls, internal reviews, and multi-signatures for most development areas. 

“This was an unfortunate isolated incident. It is a reminder that security is not static, and Ledger must continuously improve our security systems and processes. In this area, Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.

Gauthier said

Gauthier urged the industry to collectively raise the security bar for DApps involving browser-based signing. He proposed the adoption of clear signing, where users can see what they sign on a trusted display, reducing the risk of unintentional rogue transactions.

Read more: JPMorgan Believes Ethereum Will Outshine Bitcoin In 2024; Here’s Why

Tether freezes the exploiter’s address

Ledger has engaged with authorities, reported the bad actor’s wallet address, and collaborated with partners such as WalletConnect. Tether has frozen the bad actor’s USDT funds. Ledger is actively supporting affected users, filing a complaint, and cooperating with law enforcement.

Gauthier assured the community that the situation is under control, with the threat eliminated. Ledger is in communication with affected customers, working proactively to assist them. The CEO expressed regret for the incident and encouraged users to prioritize clear signing with Ledger devices.

In the spirit of transparency, Gauthier disclosed the attacker’s address (0x658729879fca881d9526480b82ae00efc54b5c2d) and emphasized ongoing efforts to prevent further attacks.