Hacker hits one of crypto industry's biggest names in security

The latest crypto hack involved one of the industry's top names in security: hardware wallet-maker Ledger. The Paris-based startup saw its Ledger Connect Kit software compromised leading to hundreds of thousands of dollars being drained from users' wallets early Thursday.

Ledger said in a statement that the exploit originated from a phishing attack that targeted a former employee. The hacker published malicious code that rerouted user funds to their own wallet during transactions with decentralized applications, or dapps, that used the affected software. The company said that the malicious code was live for around five hours.

"We are filing a complaint and working with law enforcement on the investigation to find the attacker," Ledger said in the statement. In another post, Ledger said that the malicious code had been deactivated and that it was safe to use Ledger Connect Kit. 

A connected Ledger SAS USB dongle used for storing and carrying around cryptocurrency passwords.

Blockaid, a crypto security startup that posted alerts about the hack, estimates that anywhere from 500-1,000 wallets were drained in the attack and that more than $500,000 was stolen from users. Raz Niv, co-founder and chief technology officer of Blockaid, said in an interview that the hack was not specific to Ledger customers and that users of various hardware and software wallets from other providers were also impacted.

"It is affecting anyone with a wallet that is connecting to a dapp that includes this piece of code," he said, noting that affected platforms included decentralized exchange Sushi and crypto portfolio tracker Zapper.

Even though the Ledger update removed the bad code, Niv advised crypto users to be cautious when accessing dapps, since these platforms may not have incorporated the upgrade.

"The only problem is like any other mitigation or a fix, it takes some time for it to be deployed," he said. 

The security incident is another black eye for Ledger, which drew heavy criticism in May for a new security tool that many argued was antithetical to the basic tenets of crypto. The company raised raised about €100 million ($110 million) in a funding round in March that valued it at €1.3 billion.

The hack also reflects the persistence of security attacks in the industry, which saw crypto projects lose $1.7 billion to exploits in 2023, according to data from analytics firm TRM Labs. Ido Ben-Natan, co-founder and chief executive officer of Blockaid, said crypto's association with hacks is damaging the industry. 

"If users continue to feel unsafe while interacting with these kinds of applications, then it'll disincentivize users from coming in and actually using the space," he said.