Ledger CEO explains hack, calls it ‘isolated incident’
Ledger CEO Pascal Gauthier has addressed the Dec. 14 hack of the wallet provider’s hack in a post on the company’s blog. He said the hack of Ledger’s Javascript connector library was an “isolated incident” and promised stronger security control.
My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.
— Pascal Gauthier @Ledger (@_pgauthier) December 14, 2023
The exploit ran for less than two hours and was deactivated within 40 minutes of discovery and was limited to third-party DApps, Gauthier said. It was made possible after a former employee fell victim to a phishing scam, he said. That employee’s identity was allegedly left behind in the hacked code. Ledger hardware and the Ledger Live platform were not affected. Furthermore:
“The standard practice at Ledger is that no single person can deploy code without review by multiple parties. We have strong access controls, internal reviews, and code multi-signatures when it comes to most parts of our development. This is the case in 99% of our internal systems. Any employee who leaves the company has their access revoked from every Ledger system.”
Gauthier went on to call the hack “an unfortunate isolated incident.” Now, he promised:
“Ledger will implement stronger security controls, connecting our build pipeline that implements strict software supply chain security to the NPM distribution channel.”
A hack of this type could happen to others, Gauthier added. Ledger Connect Kit 1.1.8 is safe and ready to use, Gutheir said. He thanked WalletConnect, Tether, Chainalysis and zachxbt for assistance.
Related: Ledger patches vulnerability after multiple DApps using connector library were compromised
The size of the hack was originally estimated at $484,000, but Web3 security service Blockaid later told Cointelegraph that the sum had risen to $504,000 by 20:00 UT. The hack could affect any EVM user that interacted with affected DApps, the company added.
Here is a list of dapps that may be affected by the @ledger hack! Do not interact at all with DEFI at all today! No app is safe regardless of whether you use a Ledger. pic.twitter.com/2ihbasF3R7
— Ran Neuner (@cryptomanran) December 14, 2023
Magazine: $3.4B of Bitcoin in a popcorn tin: The Silk Road hacker’s story