Crypto company Ledger is warning users of a crucial exploit and urging them to pause their hardware wallet interactions with decentralized applications (DApps).
In a new thread on the social media platform X, Ledger say that it has found, identified and replaced a malicious version of its connect kit, a piece of code used to connect hardware wallets to DApps.
“We have identified and removed a malicious version of the Ledger Connect Kit. A real version is now being pushed to replace the malicious file. Do not interact with DApps at this time. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live are not affected.”
According to Ledger, it was an exploit discovers when a former employee fell victim to phishing and lost access to his NPMJS account, a website used by developers to create code and applications.
The bad actor then uploaded a malicious version of Ledger’s connect kit that would route user funds into the hacker’s wallet. However, Ledger was able to fix this issue about five hours after it went live.
Ledger then reported the operator’s address, prompting the issuer of stablecoin Tether (USDT) to freeze the bad actor’s supply of USDT.
“This morning CET, a former Ledger employee fell victim to a phishing attack that gained access to his NPMJS account. The attacker published a malicious version of the Ledger Connect Kit. The malicious code used a rogue WalletConnect project to divert funds to a hacker wallet.
Ledger’s technology and security teams were alerted and a fix was implemented within 40 minutes of Ledger becoming aware. The malicious file was active for approximately five hours, but we believe the period during which funds were siphoned was limited to a period of less than two hours…
The authentic and verified Ledger Connect Kit version 1.1.8 is now being distributed and is safe to use. Ledger, along with Walletconnect and our partners, reported the bad actor’s wallet address. The address is now visible on Chainalysis. Tether has frozen the bad actor’s USDT.”
According to blockchain tracking platform Lookonchain, the hacker managed to steal approximately $484,000 worth of digital assets from Ledger.
Don’t miss a beat – Subscribe to receive email alerts straight to your inbox
Check price action
follow us on TweetFacebook and Telegram
Surf to the Daily Hodl mix
Featured image: Shutterstock/lycreative.id