Tech Support
Documentation
Login
Contact Us
Ledger Supply Chain Breach: $600,000 Theft Unveiled
Wajahat Raja
December 26, 2023 - TuxCare expert team
Recent events have brought to light the Ledger supply chain breach, a cybercrime incident that led to the theft of $600,000 in virtual assets. For those who don’t know, Ledger is a company that develops hardware and software-based cryptocurrency wallets. Recent reports state that the cryptocurrency wallet security breach was a consequence experienced as a result of a former employee falling prey to a phishing attack.
In this article, we’ll dive into the details of the Ledger breach and cryptocurrency theft to see what actually happened.
Investigating The Ledger $600,000 Theft
Although details of the threat actors are unidentified, details reveal that a malicious version of the Ledger Connect Kit was utilized for the execution of the cryptocurrency wallet security breach. The Connect Kit is a library used to connect decentralized applications (dApps) made by other companies to Ledger wallets.
After the former employee fell victim to a phishing ploy, attackers were then able to access Ledger’s NPM account and push three malicious version modules that include 1.1.5, 1.1.6, and 1.1.7. This allowed them to propagate a crypto drainer malware to other applications functioning with dependency on the module and launch a full-scale supply chain attack.
Technical Details Of The Ledger Supply Chain Breach
As per the Ledger chairman’s letter, published on the website, the cryptocurrency wallet security breach was live for five hours. It has been discovered that versions 1.1.5 and 1.1.6 lacked an embedded trainer. However, the malicious modules were modified to ensure that a secondary NPM package, identified as 2e6d5f64604be31, could be downloaded.
It’s worth mentioning the package mentioned above acted as the crypto drainer. Malicious module version 1.1.7, embedded with a wallet-draining payload, was used for the execution of unauthorized transactions. Once the transactions were complete, stolen funds in Ledger breach were transferred to a wallet controlled by the threat actor.
Ledger Supply Chain Breach Countermeasures
As far as preventing supply chain attacks in crypto is concerned, security teams at Ledger were altered, and a fix was deployed within 40 minutes. Providing further insight into the countermeasures, an excerpt from the chairman’s letter reads, “The malicious file was live for around 5 hours. However, we believe the window where funds were drained was limited to a period of less than two hours.”
It was identified that the malicious code used a rogue WalletConnect project for rerouting funds. However, teams at Ledger were able to connect with WalletConnet, who then disabled the rogue project. It’s worth noting that the monetary impact of Ledger’s supply chain attack would have been significantly higher had the fund transfers continued for the complete duration of the attack.
Ledger Safeguarding Cryptocurrency Assets
As per the official statement, the verified Ledger Connect Kit version 1.1.8 is safe to use. To ensure the security of crypto assets, Ledger, along with WalletConnect and other partners, have reported the threat actor’s wallet address. The team currently believes that stolen funds in the Ledger breach were transferred to the address mentioned below.
- 0x658729879fca881d9526480b82ae00efc54b5c2d.
Ledger, along with reporting the address, is also pursuing legal action. An excerpt sharing insights into the matter reads, “We are also filing a complaint and working with law enforcement on the investigation to find the attacker.” They are also working with customers whose funds may be affected.
As part of their security measures for crypto hardware wallets and software wallets, they are also studying the exploit to avoid further attacks in the future. The Ledger wallet breach consequences and monetary implications serve as a stark reminder for the implementation of security measures for cryptocurrency crime.
Conclusion
The Ledger supply chain breach, initiated from a phishing attack, quickly transitioned into an infamous incident. One that led to $600,000 worth of virtual assets being stolen. Ledger was quick to identify the malicious activity and deploy the necessary fixes to contain the damages. Despite this, the incident is an impactful reminder that organizations must adopt proactive cybersecurity measures to safeguard themselves from modern-day threat actors.
The sources for this piece include articles in The Hacker News and TechCrunch.
