- Following the attack last week, Ledger has released a statement acknowledging the breach and pledging to patch up its platform to prevent similar incidents in the future.
- The wallet announced that it will “make sure victims affected will be made whole” and is shifting from Blind Signing to Clear Signing starting June next year.
Ledger became the latest victim of the notorious crypto cyber attackers last week when its Connect Kit was injected with a drainer code. The wallet company took swift action to contain the attack and beef up its security, including partnering with Tether to freeze the attackers’ USDT addresses. Now, the company says it will ensure that all the affected parties are duly compensated for all their lost funds.
In a statement on X, the company claimed it’s 100% focused on ensuring that “incidents like this are prevented in the future and that the ecosystem remains safe.”
The hack targeted the Connect Kit, which is connected to several decentralized applications. This allowed the hackers to drain any wallet from the back end—which they did, swiping $600,000 from users. The hack could have been catastrophic as the attackers could have easily accessed over 70% of all decentralized applications which connect to the wallet. However, the vulnerability was patched a few hours later.
In its efforts to regain the trust of its users, the dApps and the entire ecosystem, the French company has pledged to refund the victims, including clients who are not direct Ledger customers.
It stated:
Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024.
We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.
We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.
Ledger…
— Ledger (@Ledger) December 20, 2023
“We commit, in any way possible, including gestures of goodwill, to make sure this is done by the end of February 2024. We are already in contact with many impacted users and are actively working through the specifics with them,” the company added.
Ledger Pledges to Reinforce Security Measures
To understand the Ledger hack, we need to break down what exactly happened; on the night of December 14, the hackers injected the malicious code into the Connect Kit. This kit allows Ledger users some aspect of control over how third-party apps, mostly dApps and DeFi protocols, interact with their hardware wallet. In essence, this kit makes crypto safer…except when it’s compromised as it was on that day.
The hack was a version of a supply chain attack. These are when hackers recognize that hacking entities directly is a fool’s errand and, instead, target the links and interconnections between them. It’s not limited to crypto; the Solarwinds supply chain attack that affected 18,000 clients of the American publicly listed IT firm proved that even the mainstream industry is just as prone.
Nevertheless, this shouldn’t take away blame from Ledger, and the company acknowledges this. One remedy is sunsetting Blind Signing with its hardware devices so that users will have to verify all transactions before signing, or what’s known as Clear Signing. And as one security expert quipped, the hack was an isolated event.
