Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned

Former worker phished then NPM repo hijacked

Cryptocurrency wallet maker Ledger says someone slipped malicious code into one of its JavaScript libraries to steal more than half a million dollars from victims.

The library in question is Connect Kit, which allows DApps – decentralized software applications – to connect to and use people's Ledger hardware wallets.

Pascal Gauthier, CEO of Ledger, in a public post said a former employee had been duped by a phishing attack, which allowed an unauthorized party to upload a malicious file to the company's NPM registry account.

"The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7)," said Gauthier. "The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet."

The malicious file was what's known as a "crypto drainer" – it siphons funds from digital wallets. And because dozens of crypto projects utilize the Connect Kit library, the potential financial loss could have been considerable. The damage however was limited because the compromised file was only live for about five hours and active for about two.

During this period, it's claimed that the attacker managed to obtain more than $610,000 worth of crypto tokens. Revoke.cash, a service for revoking certain crypto transactions – which was affected by the incident – reports losses on the order of $850,000.

According to Gauthier, the attack was addressed within 40 minutes of discovery, the attacker's blockchain address has been identified, and Tether has frozen the attacker's Tether tokens. Authorities, he claims, have been notified.

"The authentic and verified version of the Ledger Connect Kit, version 1.1.8, is now in circulation and safe to use," said Gauthier.

"Safe" may be overstating the case: According to security firm Socket, which provides algorithmic assessments of NPM packages, Connect Kit currently rates 51 out of 100 for Supply Chain Security and 55 out of 100 for Quality.

Gauthier insists standard practice at Ledger is that no one person can deploy code without a multiparty review.

"We have strong access controls, internal reviews, and multi-signature code when it comes to most parts of our development," he said. "This is the case in 99 percent of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system."

And yet Ledger's account of the incident – a former employee surrendered credentials to a phishing scheme, allowing a miscreant to gain access to Ledger's NPM account to push through bad code – suggests this was one occasion where company security controls fell short.

According to Rosco Kalis, a software engineer for Revoke.cash, Ledger did not have two-factor authentication in place for NPM, which presumably would have prevented the phishing attack from working. What's more, Kalis claimed Ledger failed to revoke code publication rights for its former employee.

Gauthier characterized this fiasco as an "unfortunate isolated incident" and said, "Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel."

The Ledger leader's reference to the NPM distribution channel glosses over the way in which Connect Kit actually gets distributed.

Kalis pointed out that Ledger distributes Connect Kit through a content delivery network (CDN), which means that developers cannot pin the library – limit it to a specific version. Instead, applications that depend on the library always fetch the latest release, which becomes problematic when the latest release has been hijacked.

"Generally speaking, developers protect against supply chain attacks by 'pinning' the versions of dependencies that they install," Kalis said.

Kalis accepted some of the blame by acknowledging that while Ledger should not have published its library in a way that did not support dependency pinning, Revoke.cash should have realized Connect Kit's distribution method posed a security risk.

However, Kalis isn't ready to shoulder the burden of compensating those who have lost funds.

"Due to the widespread nature of the exploit, it is impossible to determine which of the victims of the exploit got compromised on Revoke.cash and which got compromised on other websites," he wrote. "This is why we unfortunately do not see it as a feasible solution for Revoke.cash or other affected websites to directly compensate impacted users."

Kalis says the only answer as he sees it is for victims to seek reimbursement for losses from Ledger, adding, "It is currently unclear if Ledger plans to do this."

Ledger, based in France, did not immediately respond to a request for comment. ®

More about

TIP US OFF

Send us news


Other stories you might like