Home » Massive attack underway from Ledger – Do not use any decentralized crypto applications (dApps)

Massive attack underway from Ledger – Do not use any decentralized crypto applications (dApps)

by Thomas

A massive attack is currently taking place and could potentially affect all decentralized applications (dApps) integrating Ledger’s connect kit. It is currently recommended not to visit ANY website offering the Web3 wallet connection functionality

MAJ 15:18: Ledger’s update is being rolled out, according to the firm. Ledger also said that a “full report” will be published as soon as it’s ready.

UPDATE 15:06: Banteg published a message stating that Ledger had implemented an update and that the malicious code had been deleted. However, it is still recommended not to interact with any Wallet-enabled application, as propagation may take some time.

UPDATE 15:03: According to Igor Igamberdiev, the malicious code was implemented this morning at around 8:44 a.m., so it’s likely (but not certain) that the wallets potentially at risk are those that interacted with Ledger’s Connect Kit after that time.

UPDATE 14:57: According to on-chain investigator ZachXBT, over $610,000 has already been stolen via the flaw. According to Arkham Intelligence data, the address cited by ZachXBT would have sent funds to Angel Drainer, whose wallet totals more than $1 million.

A major attack is underway

This could be one of the biggest attacks ever to take place in the Web3 ecosystem: it seems that all decentralized applications (dApps) integrating the Ledger connection tool have been infected, and their code has been replaced by a drain functionality.

The flaw was first reported by the Sushi protocol, which took its site offline as a security measure, and which informs us that the problem originated with Ledger:

Matthew Lilley, Sushi’s CTO, has stated that the flaw did indeed originate at Ledger, and more specifically in their Connect Kit responsible for managing interaction with decentralized applications. The list of potentially affected applications can be found here. It includes all applications integrating this Ledger functionality

This attack is all the more devious in that it has also infected sites allowing the revocation of authorizations granted to smart contracts, such as Revoke.Cash, which has also taken its site offline to mitigate potential losses to its users. Revoke.Cash recommends that you do NOT use any site that connects to a Web3 wallet.

For your information, here is a preview of the window containing the malicious code:

Ledger issued a press release on X without providing any additional information:

Related Posts

Leave a Comment