Token Dispatch

Token Dispatch

Share this post

Token Dispatch
Token Dispatch
Watch that Ledger 📒
Copy link
Facebook
Email
Notes
More
User's avatar
Discover more from Token Dispatch
Your daily crypto fill, from the deep, dark burrows of the blockchain. Handpicked and crafted with love by human bots 🤟
Over 198,000 subscribers
Already have an account? Sign in
Rabbit Hole

Watch that Ledger 📒

How a malicious code inserted by a compromised employee led to half a million being stolen from DeFi users. The latest Ledger wallet exploit raises questions on security and the impact on DeFi trust.

Token Dispatch's avatar
Nameet Potnis's avatar
Thejaswini M A's avatar
Token Dispatch
,
Nameet Potnis
, and
Thejaswini M A
Dec 17, 2023
3

Share this post

Token Dispatch
Token Dispatch
Watch that Ledger 📒
Copy link
Facebook
Email
Notes
More
Share

Hello, y'all. Get your Sunday game on frens 👇

Guess-the-song for the artist you pick.
Leaderboard to share your scores.
Bragging rights to take home.

A complete go. Check out 👉 Asset - Music Nerd.

This is The Token Dispatch 🙌 you can hit us on telegram 🤟


Rogue actors.

Massive data dump.

Hardware wallet company in turmoil.

Let's dive into the latest Ledger Wallet mishap.

Ledger, a leading manufacturer of hardware wallets for cryptocurrencies, faced a significant security breach in December 2023.

The attack, classified as a supply chain compromise, exploited a vulnerability in the "Ledger Connect Kit," a library used by decentralised applications (dApps) to interact with Ledger wallets.

@MathewLilley

What Happened?

It all began when a former Ledger employee unwittingly fell for a phishing scam.

His name and email address ended up entangled in the compromised code.

Initially, folks in the crypto community pointed fingers at the developer, suspecting him as the culprit.

However, Ledger later clarified that the attack's genesis lay in the ex-employee's phishing mishap.

  • Affected software: Ledger Connect Kit (v1.1.7), a javascript library used by many dApps to connect to Ledger wallets.

  • Compromised Library: A malicious actor gained access to the NPMJS account of a former Ledger employee and injected malicious code into the Ledger Connect Kit.

  • DApp Targeting: The compromised library triggered a pop-up prompting users to connect their Ledger wallets when interacting with certain dApps.

  • Platforms Affected: MetaMask, Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash are among the protocols that have been impacted.

@MetaMask
@SushiSwap
  • Token Draining: Once connected, the malicious code siphoned crypto assets and NFTs from unsuspecting users' wallets.

Impact and Response

  • Financial Losses: While the exact amount stolen remains unclear, estimates range from $484,000 to $600,000.

@lookonchain
  • User Data: Ledger assures no personal information like passwords or private keys were exposed. However, some user email addresses and phone numbers might have been compromised in a separate 2020 data leak.

  • Ledger's Response: The company promptly acknowledged the attack, disabled the compromised library, and advised users to avoid dApps and update their firmware and apps to the latest versions.

A letter from Ledger Chairman & CEO Pascal Gauthier Regarding Ledger Connect Kit Exploit | Ledger

@_pgauthier

New Sheriff in Town: Meet Matt Johnson

First up, we've got Matt Johnson, Ledger's new Chief Information Security Officer (CISO).

His mission? Sorting out the chaos after a massive data breach exposed customer info. Matt didn't have a quiet first week at work, that's for sure.

Data Security Reinvented

Now, Ledger's rolling out a new data security plan.

Ledger has now rolled out a new Connect Kit version (1.1.8), with automatic updates for all using it.

However, caution remains the watchword.

They promise never to ask for your 24 recovery words (phew!). Plus, they're cutting down on holding your personal data, minimising its display in emails, and creating secure channels for customer communication.

@ledger

But Ledger isn't playing the victim here.

They're teaming up with Chainalysis to hunt down the culprits and offering a whopping 10 BTC bounty for info leading to the hackers' capture.

Shopify's role?

Ledger has unveiled that rogue actors at its e-commerce partner, Shopify, played a role in the data breach.

These individuals exposed a treasure trove of customer records, including emails, names, postal addresses, and phone numbers.

  1. In December 2020, Ledger, the hardware wallet company, was informed by e-commerce giant Shopify of an incident.

  2. The incident involved rogue member(s) of Shopify's support team.

  3. These agents had illegally exported customer transactional records.

  4. The breach occurred in April and June 2020.

  5. Astonishingly, Ledger was not initially aware of its involvement in this data breach.

  6. Shopify disclosed the data breach in September 2020, affecting over 200 merchants.

  7. The revelation that Ledger was also targeted emerged only on December 23, 2020.

  8. Shopify informed Ledger that it was cooperating with law enforcement in investigating the matter.

  9. Ledger enlisted the help of forensic firm Orange Cyberdefense.

  10. Their investigation uncovered that while the stolen database contained records of 20,000 new customers.

The attack may have affected the entire Ethereum Virtual Machine (EVM) ecosystem.

@LineaBuild

Ethereum Name Service developer Nick Johnson, citing past Ledger breaches, expressed doubts about recommending Ledger's hardware or libraries.

He noted Ledger's consistent disregard for operational security, suggesting they no longer deserve the benefit of the doubt regarding improvement.

@nicksdjohnson

The history

Ledger has unfortunately faced several security incidents over the years.

July 2020: Ledger experiences a data breach.

  • Unauthorised access is gained to e-commerce and marketing databases.

  • Approximately 9,500 customers are affected.

  • December 2020: Shopify Data Breach Incident

2021, June 28th: Ledger acknowledged a phishing campaign targeting their customers, attempting to steal private keys and seed phrases.


TTD Week That Was 📆

Saturday: VC eyes on Crypto 2024 👀

Friday: BONK Fest 🎉

Thursday: Happy 2024? 🥳

Wednesday: Bitcoin's 'whodunnit' 👀

Tuesday: Game On 🎮

Monday: HODL tight fellas 🤌🏻


TTD Week in Funding 💰

  • Dynamic Labs. $13.5 million. Non-custodial wallet tools for developers the ability to incorporate FaceID and TouchID into web3 wallet design.

  • Andalusia Labs. $48 million. Technology solutions addressing the blockchain security. Risk management infrastructure for digital assets.

  • Lolli. $8 million. Rewards app that allows users to earn bitcoin and cash back rewards when shopping at over 25,000 stores.


If you like us, if you don't like us .. either ways do tell us✌️

If you dig what we do, show us love on Twitter, Instagram & Threads🤞

So long. OKAY? ✋

The Token Dispatch is a daily newsletter that takes you on a 4-5 minute drive through the wild west of the Crypto World. Daily in your email inbox @13:00 GMT. Almost always.

ava miller's avatar
Nameet Potnis's avatar
ranjit's avatar
3 Likes
3

Share this post

Token Dispatch
Token Dispatch
Watch that Ledger 📒
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

User's avatar
The 2024 Airdrop Gold Rush 💰
How will crypto airdrops play out in 2025, in the backdrop of $15 billion token giveaway in 2024.
Jan 5 • 
Token Dispatch
 and 
Thejaswini M A
119

Share this post

Token Dispatch
Token Dispatch
The 2024 Airdrop Gold Rush 💰
Copy link
Facebook
Email
Notes
More
What'll 2025 Bring for Crypto Stocks? 🕰️
Will crypto stocks ride the 2024 record gains in 2025? We look at the narrative for this year, in this week’s Wormhole.
Jan 4 • 
Token Dispatch
 and 
Prathik Desai
95

Share this post

Token Dispatch
Token Dispatch
What'll 2025 Bring for Crypto Stocks? 🕰️
Copy link
Facebook
Email
Notes
More
Can Bitcoin Reserve Be the Magic Pill? 🏛️
This week we look the possibility of the world's largest economy piling Bitcoin to solve its debt crisis.
Jan 18 • 
Token Dispatch
 and 
Prathik Desai
83

Share this post

Token Dispatch
Token Dispatch
Can Bitcoin Reserve Be the Magic Pill? 🏛️
Copy link
Facebook
Email
Notes
More

Ready for more?

© 2025 Drumworks Ventures FZ LLC
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More

Create your profile

User's avatar

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.