Bitcoin Forum

If you are using ledger hardware wallet please do not connect to any dapps right now until futher notice, it seems this hardware wallet is freaking too vulnerable to attacks right now.

https://i.postimg.cc/3J8nT6MT/Screenshot-20231214-152119-Trebuchet.png

The picture says "More details below". Isn’t it just by clicking on such links that fun adventures with hacked wallets and everything else begin? :)

It was possible to copy / paste part of the text with the main idea of the article here, right? Of course, with reference to the original source. So that forum users can find out everything regarding this incident right here.

Yep! I've seen so many community alert posts on social media, indicating the compromise of the Ledger's ConnectKit Library with Revoke. Cash. I've personally taken some actions and disconnected all of my active connections with most of Dapps. Playing safe in such circumstances is good for funds.

I'm not sure why are you creating this thread so late and TBH I've not scrolled any other section yet, maybe there are some of early threads already covering this topic.

Ledger's having some problems recently.  Not sure what's going on over there, but seems their hardware wallets are dealing with security vulnerabilities lately and  they used to be the best option for most folks wanting a hardware wallet.  But I've seen a bunch of reports about issues compromising security.  Id hold off linking your Ledger to any decentralized apps until we get an all-clear.  Who knows if connecting it could put your crypto at risk given their ongoing problems.

It's only if you install new software. I don't update to newest versions right away because I've learned over the years that updates often are unstable and you have to install fixes later. It's better to wait for a while.

Also, they're fixing this, so if you still using ledger, wait a few days until it calms down and move it to something better. Their updates that allowed them to access your wallet were the first warning for users that this company is not the best choice. Now there's this little problem. Let's see how many people lose their savings because of this bug.

Well, that's right. I've been trying some testnet nodes and they are frequently sending updates, I was worried about the system security because even after installing all those updates, the system was not behaving smoothly.

Anyway, it's about the ledger, hmm other reliable options are compared to the legder because the update you've mentioned was briefly covered in many topics here, At that time as well people were moving from the ledger. I think Trezor is one of the renowned ones.

The ledger issue is now fixed.

https://www.talkimg.com/images/2023/12/14/EvIkP.jpeg

source: > https://twitter.com/Mudit__Gupta/status/1735301007188406681

You can't trust those ledger devices as far as you can throw them nowadays, especially after the stunts they have pulled. Their reputation is completely screwed and it is sad to see it happen but having this happen now on top of all of that? I'm not sure how much longer the company will last if they continue being so vulnerable and going against the best interests of their users.

It's been one shitshow after another for Ledger these past couple of years. They've had a database breach, the Ledger Recover controversy, the Ledger Stax device which remains undelivered after they started accepting pre-orders over a year ago, now there is this hack which compromised any dapp using the ConnectKit library.

After being the most popular hardware wallet for a long time they have now completely destroyed their reputation with all these blunders. I can't imagine anyone who would still trust them enough to store their private keys on one of their devices.

tl;dr your Ledger hardware wallet is fine. This security issue concerns the Ledger Connect Kit, in which a hacker used malicious code to display a separate wallet connection UI modal on DeFi protocols.

Some facts:

1. You need to confirm a malicious transaction on your Ledger device for your funds to be stolen
2. This was caused by a phished account of an ex-employee hence the hacker was able to push code
3. This security issue is only with concern to EVM(Ethereum Virtual Machine)-related platforms. If you're bitcoin-only, you're totally unaffected.

Their CEO has explained this hack. And as people here say, as long as users only use Bitcoin, it doesn't matter at all.
CEO Ledger has collaborated with law enforcement to follow up on this process. According to Pascal Gauthier, Ledger will implement a stronger security system in the future after this incident. Gauthier added that Ledger Connect Kit 1.1.8 is secure.

This source comes from Cointelegraph.
https://cointelegraph.com/news/ledger-ceo-explains-hack-calls-it-isolated-incident

All over Twitter people are filming themselves destroying their ledgers. This is numerous times that something like this has happened. Do you feel safe storing your crypto this way?

Ledger needs to be open sourced and the chances of this happening will be lower, however since they are for profit they obviously aren’t going to do that.

Best cold storage these days is anything that is open sourced.

I have a Ledger hardware wallet, but I don't feel safe storing it here because it has been compromised before. If there is more news of it being compromised again, I would be forced to sell it.


I don't think the company will refrain from doing such things because it's their business and they want to earn more profit. However, I hope they will take all the necessary measures to prevent such incidents from happening again in the future. If this issue persists, it could damage the reputation of the company. Who knows if potential customers will trust their hardware wallet if there are always security issues?

I think this one of the last stroke for people using Ledger hardware wallets, they might not be affected yet especially people storing only bitcoin but what happens next? Their new recovery policy was already a warning and after this I would say people should be careful about the product.


They have actually opted to go for open source after the recovery saga and many users complained I don’t know if they have implemented it or not but still that won’t bring back the trust that has already been broken.


Not that open source wallet are even 100% temper proof from hacks even the likes of Trezor still have there vulnerabilities although with the code public users who are tech savvy can easily dictate a back door even though not all. I will consider a cold wallet set up by me personally on an airgap device more secure this days.

I have been seeing that news on many Telegram channels that I have subscribed and other social media platforms are also reporting that news. If that's the case then one should be careful with the Ledger wallet. That's why I always recommend everyone to use open-source software base wallet instead of relying on hardware wallets.

The open-source software wallets are much secure as compare to the hardware wallets and I believe the ones who rely on hardware wallets can be huge troubles. Trusting someone's hardware is a risky thing and that's why I believe software based personal wallets works like a charm. I would prefer to go with Electrum as that's the one I use and I will always recommend it.

I hope that users will be safe from this hack and they may not lose any of their funds due to the hardware wallet vulnerabilities. A reminder to those who save their Bitcoin on hardware wallets. Kindly, go with an open source software wallet and an air gapped system to be secure as a Bitcoin holder.

Currently users are facing several issues with this hardware wallet. It is believed that users are facing such problems due to their security system being weak. This company once had a good reputation but due to weak security systems, their reputation has been ruined and their user base has dropped drastically. They are finding it difficult to survive in the market as they are now and not sure if this company can survive at all.

Whoever was the weakest link in the backend of Ledger is going to have his ass handed to him, this isn't just some minor issue because a lot of people have trusted Ledger for a really long time and this happening to them is definitely a damage to their reputation. Hopefully the problem is going to be addressed and that they will find some way to compensate the people that was a victim of the hack and that the authorities are on the case because this is the type of cyber criminal that needs to be punished, no way that there's no malice involved in doing this unlike most hackers that do it for the challenge or the thrill.

I don't have any business with ledger wallet whatsoever but its seem the hack was really big although the CEO is claiming their doing everything under their power to actually maintain the issue from getting out of hand but it would be best for everyone that is using the wallet to actually lay off and stay on a low because it's better to play safe than be ignorant and suffer the cost.

Aslo read this article  ledger wallet hack (https://thehackernews.com/2023/12/crypto-hardware-wallet-ledgers-supply.html?m=1) about some of the stolen assets worth $60000 has been frozen by the appropriate network in charge of the transaction.

The issue is related to their dapps software, not the HW itself as far as I understand it. Basically a lot of dapps use their connectkit to interact with web3 wallet and somebody managed to publish a fake version of it. While they've published the right version, people should at least their browser cache to ensure they don't cache the fake version. It doesn't matter whether you use Ledger HW or not, as long as your favorite dapps use Ledger's connectkit, you're at risk if you don't do that.

Ledger should improve how they educate their employees since all of this happens because of a phishing attack, which in theory should not be unfamiliar for people who work at a crypto company.

According to recent reports, Ledger’s Connect Kit software was compromised, and over $600K in crypto was reportedly drained. Ledger issued an update to its software a few hours after the incident, but users are advised to be cautious about interacting with apps for now. However, it’s important to note that Ledger’s software inside of the hardware wallet was not compromised. The issue lies with the Ledger Connect Kit software, not the hardware wallet itself. So, while your crypto assets should still be secure, it’s recommended to avoid connecting to any decentralized applications temporarily until further notice.

https://economictimes.indiatimes.com/news/international/us/why-has-hardware-wallet-manufacturer-ledger-warned-users-not-to-connect-to-any-dapps/articleshow/106000442.cms
https://insidebitcoins.com/news/ledgers-crypto-nft-hardware-wallet-got-hacked-over-600k-crypto-drained
https://finance.yahoo.com/news/ledger-wallets-drained-crypto-latest-165413366.html

I wonder if Ledger is regretting their decision to support scamcoins yet? -- seams like it may ultimately cost them their business.

It's hard enough to handle bitcoin securely, but to handle alternatives whose designs have big security problems and then to support a thousand of them? It's a recipe for disaster on the basis of complexity alone.

Good news for all those that lost money in recent hack (I hope no one here was affected) as Ledger just announced via Twitter that they plan to reimburse all those that lost their money ($600k). Plan is to reiumburse everyone until end of February 2024. I guess they realized that their reputation is fucked so know they are trying to smoothen things up.  

That's good news if the ledger is going to do that for the users of the ledger who are affected by what has already been compromised. Actually, this incident that happened is quite alarming.

But since they have a reimbursement to make to those affected by that issue, for sure their users will be happy, and this is good news for them so that their trust will still remain in the ledger. That's how I see it, and that's a good step.

There is no way except this step to retain the trust of crypto users and web3 platforms. This is positive news for all users whose wallet drained especially lost big. Besides reimbursing the plan for tighten the security is also good news where signing system will be become strong.

Online security plays an important role in the world of cryptocurrency. Cryptocurrencies are considered secure because it's operate on a blockchain however this type of incident will create fear so it should be tighten in extreme level so that no one even think about breaking security.

It was back then when ledger hardware wallet was making fame because users find nothing against it used and will always want to have it among the most recommended wallets, but now things are no more like that with the same hardware wallet, ledger has compromised privacy and data leak, we need to get used to this related activities because that is one of the reasons we must always stay updated to know about the security challenges or privacy bridge from any of the kinds of wallet we are using.

Eh, If I were affected I'd probably stop using them even after they reimburse me. This blind signing aside, they made many questionable decisions in the last few months that users should be aware of. The more worrying thing is the reliance on their connectkit by dapps developers. They should improve their internal security and fix how a new update is published so that one phishing attack doesn't result in the same thing, while developers try to build/use alternatives so that they don't make chain attacks easier. CMIIW.

Did you imply about their new product, Ledger Recover?

Ledger Recover (https://www.ledger.com/recover) and Ledger Recover FAQs (https://support.ledger.com/hc/en-us/articles/9579368109597-Ledger-Recover-FAQs?docs=true)

That new product from Ledger is sucky as the root cause to use a hardware wallet is to have our control on our wallet private keys/ wallet mnemonic seeds and don't rely on any party to have access to private keys, wallet seeds and our bitcoin.

Months ago, with release of Ledger Recover product, they give Ledger users an option to back up wallets with engagement of three parties. It sucks!

It is bad idea from Ledger developers but users themselves have own responsibilities too.

Hardware wallets must be used for storing their main capital.

If they want to interact with smart contracts, new projects, they must move their cryptocurrencies from a hardware wallets to some different smaller wallets. And they can use those wallets for smart contract interaction explorations, with other wallets like Metamask, MyEtherwallets and more.

I wouldn't trust anything involving shitcoins aka altcoins, web3, dapps, nfts all just a bunch of  great ways to lose your money.

All of the above are just a bunch of stupid fancy buzzwords but in reality are nothing but high tech scams that have little to nothing in common with bitcoin,
the only truly trustless and decentralized asset. Every single day for the last 10 years you hear constantly about people getting scammed with this garbage,
and yet people still don't learn.

You know what they say idiots and their money are soon parted.

Ledger already lost its reputation when it introduced a recovery service meant to restore access to your seed. The hack involving Ledger Connect only adds more fuel to the fire. Noobs won't care about this, but crypto veterans like me will start looking for other alternatives. If the majority of Ledger's customers are crypto veterans, then this will mark the end of its business for good. We are yet to see whenever the company will survive or fade away into oblivion.

For what I know, there are plenty of alternatives that put security/reliability above all else. Open source hardware wallets like Jade and Passport are starting to gain traction. Lets see if Ledger will be able to keep up with the competition. As long as we have multiple hardware wallets to choose from, nothing else matters. :)

That's good news for those affected on it. But I guess this is going to be the last time that they'd do a refund for the affected users since it is their fault.

Next time that something like this happens again, I don't think that they'll initiate a refund against the actions of these users. Both are at fault but Ledger should stop making a lot of support for these projects and should only stay to a few chosen.

Yeah, that recover feature. That already made a huge noise on their reputation but we're not their target with such feature and sadly, despite the community's action against that. There will be newbies that will embrace that feature.

They maybe lost reputation among more knowledgebale userbase, but vast majorify of their users probably never even heard about recovery service and what's even worse, they wouldn't even mind using it once introduced.


Unfortunately, situation is opposite and Ledger is still the market leader, despite all the mistakes made in the last couple of years and imho it will need a major breach for them to lose that spot.

I doubt they do.  They earned most of their income and profit through Shit Coins.  Otherwise I doubt any body would have preferred Ledger on top of Trezor.

Supporting Shit Coins seems to be their purpose and priority.  Unfortunately a few of us will say it was a mistake but most of their customers will keep praising them for supporting all the Coins we never really needed.