🚨🚨🚨 DON'T USE ANY DAPP(Ledger's ConnectKit library compromised)

[Gladitorcomeback]

Don't interect wallet with any dapp because because Many applications haa been compromised and news comes that users wallet hacked while using Revoke cash. Wait for further details

This is biggest hack of the year as it's not limited to one particular project or contract, The whole Ledger labrary has been compromised. Panic sell started already but hope all will be normal in 24 hours. All Bitcointalk members especially airdrop hunters kindly be safe and don't use any dapp.

Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including Revoke.cash have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website at all while this exploit is ongoing.

Source:
https://twitter.com/RevokeCash/status/1735282669808717958?s=19

[1714663543]

1714663543

[1714663543]

1714663543

[1714663543]

1714663543

[1714663543]

1714663543

[1714663543]

1714663543

[julerz12]

Ledger already made an update about this.

Update:

The malicious version of the file was replaced with the genuine version at around 2:35pm CET.

The new genuine version should be propagated soon.

We will provide a comprehensive report as soon as it’s ready.

In the meantime, we’d like to remind the community to always Clear Sign your transactions - remember that the addresses and the information presented on your Ledger screen is the only genuine information.

If there’s a difference between the screen shown on your Ledger device and your computer/phone screen, stop that transaction immediately.

Source: https://twitter.com/Ledger/status/1735298142118072512
Also found this tweet on how to check if you have the malicious library cached

The ledger issue is now fixed.

To make sure you don't have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1 and ensure the version is 1.1.8.

If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data.

Source: https://twitter.com/Mudit__Gupta/status/1735301007188406681

[AirtelBuzz]

Don't interect wallet with any dapp because because Many applications haa been compromised and news comes that users wallet hacked while using Revoke cash. Wait for further details

This is biggest hack of the year as it's not limited to one particular project or contract, The whole Ledger labrary has been compromised. Panic sell started already but hope all will be normal in 24 hours. All Bitcointalk members especially airdrop hunters kindly be safe and don't use any dapp.

Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including Revoke.cash have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website at all while this exploit is ongoing.

Source:
https://twitter.com/RevokeCash/status/1735282669808717958?s=19

The drainer actually pops up on top of the real Connect Wallet.

You will still need to connect and sign before get drained, but it’s better not to test as one can easily overlook while connecting with real Dapp

Twitter X: >https://twitter.com/iambullsworth/status/1735290127847415832?t=Lv6vV8_qZYUXy4XvcKECeA&s=19

[cheezcarls]

Don't interect wallet with any dapp because because Many applications haa been compromised and news comes that users wallet hacked while using Revoke cash. Wait for further details

This is biggest hack of the year as it's not limited to one particular project or contract, The whole Ledger labrary has been compromised. Panic sell started already but hope all will be normal in 24 hours. All Bitcointalk members especially airdrop hunters kindly be safe and don't use any dapp.

Warning: Multiple popular crypto applications that integrate with Ledger's ConnectKit library, including Revoke.cash have been compromised. We temporarily took the website offline as we're investigating further. We recommend not using *any* crypto website at all while this exploit is ongoing.

Source:
https://twitter.com/RevokeCash/status/1735282669808717958?s=19

The drainer actually pops up on top of the real Connect Wallet.

You will still need to connect and sign before get drained, but it’s better not to test as one can easily overlook while connecting with real Dapp

Twitter X: >https://twitter.com/iambullsworth/status/1735290127847415832?t=Lv6vV8_qZYUXy4XvcKECeA&s=19

So it pops up on top of the main pop up. But if you close it, will it automatically appear again right? If those people who were not using common sense and was just simply in a rush to connect, then most likely they get victimized and getting their wallets drained once and for all.

Even if they say that it’s under control, I’ll just pause DeFi activities for a day and see what happens. I manually disconnect my Metamask in all Dapps for now. As for my Ledger, it’s completely safe because I didn’t touch it for a very long while.

Both Web3 and DeFi still has long ways to go to become relevant in terms of the security side. These hackers are not stopping as they became more intelligent and smarter over time, so we also have to upgrade our “common senses” too.

[Pmalek]

Now I finally understand how this works. It's like a sophisticated phishing scam where a malicious Wallet Connect window pops up over the official one. It still requires physical authorization from Ledger users. It can't do anything without it. Those who don't pay attention and don't compare the information on the screen with what is displayed on the hardware wallet, give authorization to the scam attempt that steals the tokens.

The information I found is that around $600,000 has been stolen in a few hours with this drainer.

[Gladitorcomeback]

Also found this tweet on how to check if you have the malicious library cached

The ledger issue is now fixed.

To make sure you don't have the malicious library cached, go to https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1 and ensure the version is 1.1.8.

If it's not, clear your cache. chrome- F12> Chrome Developer Tools > Application tab > Storage in left tree> Clear site data.

Source: https://twitter.com/Mudit__Gupta/status/1735301007188406681

Thanks Julerz for update. At first 24 hours wait was suggested but Thanks God that issue has been resolved earlier. Cookie clearance is needed in some devices and I hope all users already followed the above step.

Now I finally understand how this works. It's like a sophisticated phishing scam where a malicious Wallet Connect window pops up over the official one. It still requires physical authorization from Ledger users. It can't do anything without it. Those who don't pay attention and don't compare the information on the screen with what is displayed on the hardware wallet, give authorization to the scam attempt that steals the tokens.

The information I found is that around $600,000 has been stolen in a few hours with this drainer.

Yes, If you open twitter you will see many users crying for fund lost. I saw one tweet about 3k$ lost and user said that there is no transaction found which his fund is disappeared from the wallet. I hear first time this kind of scam attacks. unfortunately many users got victim because everyone one was using dapps as a normal and no one even think that this kind of issue will ever happen.

[tabas]

I've seen this news on coinmarketcap with the top community post from Lark Davis. Although it has been fixed now as been said by Ledger. Whenever there are compromises like this from Ledger or any hardware wallet company, the guy said just don't do anything and never connect your wallet to the dApps. That's the quote from him so if something the same happens again in the future (not asking for it) just in case, that's what people have to do.

[joniboini]

At first, I thought this only affected the Ledger wallet. However, reports suggest that the compromised library is basically an open-source software that is used by tons of dapps[1]. It is wild how the attacker managed to steal one of Ledger's npm accounts by doing a phishing attack. I'd expect all Ledger companies to be familiar with it. On the other hand, maybe relying on one software is not really a good idea for developers since they can be blamed for stuff that is likely outside of their control.

[1] https://blog.sonatype.com/decrypting-the-ledger-connect-kit-compromise-a-deep-dive-into-the-crypto-drainer-attack

[Yamane_Keto]

The number of reviews that these open source libraries receive makes them closed source. The biggest problem is the laziness of the developers and their reliance on one open source library and building on it. All of these factors make the entire dapps industry seem as if it is centralized with one point of failure, even if the applications are open source. On the contrary, it may be Open source is an opportunity for hackers to look for vulnerabilities with not enough code reviews. The stolen amounts reported are not large, but this warning should be sufficient to confirm that all of these services have a central point of failure.

[Pmalek]

I saw one tweet about 3k$ lost and user said that there is no transaction found which his fund is disappeared from the wallet.

That can't be. There have to be blockchain records when coins and tokens are moved. Perhaps he thinks he never gave the fake pop-up the needed permissions or he is simple lying. Another problem could be synchronization issues where the wallet he is using isn't 100% synced with the network to the point of displaying the latest transactions. Even then, he can find them by checking the affected address on a blockchain explorer.   

It is wild how the attacker managed to steal one of Ledger's npm accounts by doing a phishing attack. I'd expect all Ledger companies to be familiar with it.

I guess you wanted to say all Ledger employees. Ledger's official stance is that one of their ex-employees was hacked, which is weird in itself.

[Gladitorcomeback]

I saw one tweet about 3k$ lost and user said that there is no transaction found which his fund is disappeared from the wallet.

That can't be. There have to be blockchain records when coins and tokens are moved. Perhaps he thinks he never gave the fake pop-up the needed permissions or he is simple lying. Another problem could be synchronization issues where the wallet he is using isn't 100% synced with the network to the point of displaying the latest transactions. Even then, he can find them by checking the affected address on a blockchain explorer.   

I am also thinking so, I think his wallet is not synced completely which why he missed transaction in Blockchain and wallet also unable to reveal before syncing. I experience this issue with utopia app and sometimes after network change in Metamask price show for old network. BTW all dapps are working normally now but bad luck for users lost in this such a bad incident.

[PX-Z]

Will Ledger be liable for this lost? Is there any announcement of reimbursement of the hacked funds? If there's none, then it's time to drop Ledger products. The more they want to expand their products the shittier they get. What a shame!

[ScamViruS]

It is actually very important for every crypto user to be careful at every step, because a small mistake can lead to huge losses here. Security experts still think that users who connected their wallets to affected sites are still at risk. The situation is actually worse for crypto users who, due to their own laziness, have connected their wallets without proper verification. Wallets like Ledger were targeted by hackers, and they succeeded here. They have hacked a considerable amount of funds.

Ledger Exploit Drained $484K, Upended DeFi; Former Staffer Linked to Malicious Code
Security firm Blockaid's CEO told CoinDesk that users are still at risk.

https://www.coindesk.com/business/2023/12/14/ledger-exploit-drained-484k-upended-defi-former-staffer-linked-to-malicious-code/

[Pmalek]

Will Ledger be liable for this lost? Is there any announcement of reimbursement of the hacked funds?

I doubt it. I am pretty sure that their TOS (that everyone agrees to when purchasing and using Ledger software and hardware) says they are not responsible for any mistakes you make or any loss of funds. That's not exclusive to Ledger, though. They have stated that they will be in contact with the affected parties, probably trying to recover their coins. Some media already reported that addresses connected to the drained crypto have been frozen. Ledger will surely assist in whatever investigation comes from it.

Security experts still think that users who connected their wallets to affected sites are still at risk.

Ledger has patched the vulnerable library and released a new Ledger Connect kit version. Now, every website that used the code from the older malicious libraries needs to perform the update on their end. Additionally, DApp users need to ensure that they are running version 1.18 on their machines as well.

[hugeblack]

I saw one tweet about 3k$ lost and user said that there is no transaction found which his fund is disappeared from the wallet. 

Add to this the possibility that competing companies will take advantage of this situation and spread rumors and lies about losses.
Overall, Ledger has put itself in an embarrassing situation, starting from lying about access to the private key, firing employees, leaking customer data, and up to this point. I think they need to announce that they are going to an open source company and rename their product instead of continuing with the current policy.

[CODE200]

Now I finally understand how this works. It's like a sophisticated phishing scam where a malicious Wallet Connect window pops up over the official one. It still requires physical authorization from Ledger users. It can't do anything without it. Those who don't pay attention and don't compare the information on the screen with what is displayed on the hardware wallet, give authorization to the scam attempt that steals the tokens.

Totally sophisticated, aims for the weakness of the human mind to have less attention to the habitual and mundane stuff that they do. A lot of those people that have fallen for this were definitely not paying attention to which one they're selecting because you can't really blame them, they didn't expect that they're going to be a victim of that phishing scam and they trust Ledger so they've become complacent on what they need to do when it comes to those kinds of stuff. Hopefully, when the scam finally becomes a public knowledge that no one will become a victim of this attack.

The information I found is that around $600,000 has been stolen in a few hours with this drainer.

That's actually an impressive response from Ledger, to only have $600k worth of crypto becoming compromised, I feel bad for those people that was part of that $600k because you never know if someone that have their money stolen really needs that money for something involving health emergencies, that must be an awful feeling to be had.

[Pmalek]

I think they need to announce that they are going to an open source company and rename their product instead of continuing with the current policy.

Open-sourcing their future work would be a positive step in the right direction, but I doubt they will take it. It also doesn't change the fact that their firmware was always closed-source up to this point. And you can't change the past and everything wrong or nasty that you perhaps committed in it. Even if they open-sourced all their past firmware releases, who is to say they didn't filter out everything bad (if there is something bad) before releasing it to the public?

That's actually an impressive response from Ledger, to only have $600k worth of crypto becoming compromised.

It was just luck. It could also have been $600 million if a lot more users or whales connected and blindly used their hardware wallets during the time the threat was live.
The only thing that about this whole situation that deserves praise on Ledger's side (if it's true) is that they fixed the vulnerability in 40 minutes after finding out about it. But it shouldn't have happened in the first place, lowering the importance of their fix. 

[CODE200]

That's actually an impressive response from Ledger, to only have $600k worth of crypto becoming compromised.

It was just luck. It could also have been $600 million if a lot more users or whales connected and blindly used their hardware wallets during the time the threat was live.
The only thing that about this whole situation that deserves praise on Ledger's side (if it's true) is that they fixed the vulnerability in 40 minutes after finding out about it. But it shouldn't have happened in the first place, lowering the importance of their fix. 

I don't think luck is going to take that hacker that far, inserting a code to exploit the vulnerability takes some skills to be able to pull off. That's not something that can be done with just luck because programming is a difficult job to do and if you don't know what you're doing and you're bad at math, you can't just wish to have luck for your program or code to work that so yeah, it's not luck maybe coincidence because some of the users that became the victim to this are careless enough to not notice that they're sending money on a different wallet. Also, I clearly said the part that deserves the praise so I don't get it why you have to mention it again, I guess I didn't add the time of the response against the vulnerability. Hope that we can see some news about the recovery of the stolen funds.

[hugeblack]

Open-sourcing their future work would be a positive step in the right direction, but I doubt they will take it. It also doesn't change the fact that their firmware was always closed-source up to this point. And you can't change the past and everything wrong or nasty that you perhaps committed in it. Even if they open-sourced all their past firmware releases, who is to say they didn't filter out everything bad (if there is something bad) before releasing it to the public?

They need to regain trust. They have design, expertise and the company was actually achieving successes until last year despite many question marks raised by buyers. Renaming the new product, making it open source and keeping the old company/old products for those who want to trust them will create a balance. Some may not think about leaving the service.
Note that so far, there has been no direct loss of customer funds, so I believe they still have a buyer base.

[Pmalek]

I don't think luck is going to take that hacker that far, inserting a code to exploit the vulnerability takes some skills to be able to pull off. That's not something that can be done with just luck because programming is a difficult job to do and if you don't know what you're doing and you're bad at math, you can't just wish to have luck for your program or code to work...

I never said that whoever created the vulnerability did it because they were lucky. My reply to your previous post concerned the amount of money that was stolen with the exploit. It was only around $600k (unless something changed in the meantime). That's what I meant when I said that Ledger was lucky, and they didn't do anything impressive.