‘Decentralized’ apps suffer after Ledger Connect Kit attack

An apparent supply chain attack against Ledger’s Connect Kit, a software tool that allows users to connect their wallets to the front end of decentralized applications (dApps), has drained user wallets.

A compromised account belonging to a former Ledger employee pushed a new version of the Connect Kit software to the NPM software repository before it was replaced several hours later. This compromise presented a risk to any service that relied on the software, even if the user didn’t use Ledger-brand hardware wallets. 

X (formerly Twitter) users have reported that the malicious version would present an additional pop-up pointing users toward the draining software, itself based on modified WalletConnect software.

Ledger HQ’s default implementation of the ‘connect-kit-loader’ was especially vulnerable, choosing to always load the most recent version directly from a content delivery network (CDN) instead of locking to a specific version. 

Firms have already started to respond to this attack, with Tether CEO Paolo Ardoino saying via X that Tether has decided to freeze an address associated with this exploit.

Read more: Researcher finds data harvesting inside Ledger Live app

ZachXBT, a blockchain investigator, pointed towards 0x658729879fca881d9526480b82ae00efc54b5c2d as the address for the exploiter. This address also initially transferred to 0x412f10AAd96fD78da6736387e2C84931Ac20313f or ‘Angel Drainer.’ This is an address frequently used in phishing scams. 

The address has received a variety of different assets, with DeBank saying that the value reached approximately $480,000 before assets were transferred out of the wallet. 

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on XInstagramBluesky, and Google News, or subscribe to our YouTube channel.