Watch that Ledger 📒
How a malicious code inserted by a compromised employee led to half a million being stolen from DeFi users. The latest Ledger wallet exploit raises questions on security and the impact on DeFi trust.
Hello, y'all. Get your Sunday game on frens 👇
Guess-the-song for the artist you pick.
Leaderboard to share your scores.
Bragging rights to take home.
A complete go. Check out 👉 Asset - Music Nerd.
This is The Token Dispatch 🙌 you can hit us on telegram 🤟
Massive data dump.
Hardware wallet company in turmoil.
Let's dive into the latest Ledger Wallet mishap.
Ledger, a leading manufacturer of hardware wallets for cryptocurrencies, faced a significant security breach in December 2023.
The attack, classified as a supply chain compromise, exploited a vulnerability in the "Ledger Connect Kit," a library used by decentralised applications (dApps) to interact with Ledger wallets.
It all began when a former Ledger employee unwittingly fell for a phishing scam.
His name and email address ended up entangled in the compromised code.
Initially, folks in the crypto community pointed fingers at the developer, suspecting him as the culprit.
However, Ledger later clarified that the attack's genesis lay in the ex-employee's phishing mishap.
Compromised Library: A malicious actor gained access to the NPMJS account of a former Ledger employee and injected malicious code into the Ledger Connect Kit.
DApp Targeting: The compromised library triggered a pop-up prompting users to connect their Ledger wallets when interacting with certain dApps.
Platforms Affected: MetaMask, Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash are among the protocols that have been impacted.
Token Draining: Once connected, the malicious code siphoned crypto assets and NFTs from unsuspecting users' wallets.
Impact and Response
Financial Losses: While the exact amount stolen remains unclear, estimates range from $484,000 to $600,000.
User Data: Ledger assures no personal information like passwords or private keys were exposed. However, some user email addresses and phone numbers might have been compromised in a separate 2020 data leak.
Ledger's Response: The company promptly acknowledged the attack, disabled the compromised library, and advised users to avoid dApps and update their firmware and apps to the latest versions.
New Sheriff in Town: Meet Matt Johnson
First up, we've got Matt Johnson, Ledger's new Chief Information Security Officer (CISO).
His mission? Sorting out the chaos after a massive data breach exposed customer info. Matt didn't have a quiet first week at work, that's for sure.
Data Security Reinvented
Now, Ledger's rolling out a new data security plan.
Ledger has now rolled out a new Connect Kit version (1.1.8), with automatic updates for all using it.
However, caution remains the watchword.
They promise never to ask for your 24 recovery words (phew!). Plus, they're cutting down on holding your personal data, minimising its display in emails, and creating secure channels for customer communication.
But Ledger isn't playing the victim here.
They're teaming up with Chainalysis to hunt down the culprits and offering a whopping 10 BTC bounty for info leading to the hackers' capture.
Ledger has unveiled that rogue actors at its e-commerce partner, Shopify, played a role in the data breach.
These individuals exposed a treasure trove of customer records, including emails, names, postal addresses, and phone numbers.
In December 2020, Ledger, the hardware wallet company, was informed by e-commerce giant Shopify of an incident.
The incident involved rogue member(s) of Shopify's support team.
These agents had illegally exported customer transactional records.
The breach occurred in April and June 2020.
Astonishingly, Ledger was not initially aware of its involvement in this data breach.
Shopify disclosed the data breach in September 2020, affecting over 200 merchants.
The revelation that Ledger was also targeted emerged only on December 23, 2020.
Shopify informed Ledger that it was cooperating with law enforcement in investigating the matter.
Ledger enlisted the help of forensic firm Orange Cyberdefense.
Their investigation uncovered that while the stolen database contained records of 20,000 new customers.
The attack may have affected the entire Ethereum Virtual Machine (EVM) ecosystem.
Ethereum Name Service developer Nick Johnson, citing past Ledger breaches, expressed doubts about recommending Ledger's hardware or libraries.
He noted Ledger's consistent disregard for operational security, suggesting they no longer deserve the benefit of the doubt regarding improvement.
Ledger has unfortunately faced several security incidents over the years.
July 2020: Ledger experiences a data breach.
Unauthorised access is gained to e-commerce and marketing databases.
Approximately 9,500 customers are affected.
December 2020: Shopify Data Breach Incident
2021, June 28th: Ledger acknowledged a phishing campaign targeting their customers, attempting to steal private keys and seed phrases.
TTD Week That Was 📆
Saturday: VC eyes on Crypto 2024 👀
Friday: BONK Fest 🎉
Thursday: Happy 2024? 🥳
Wednesday: Bitcoin's 'whodunnit' 👀
Tuesday: Game On 🎮
Monday: HODL tight fellas 🤌🏻
TTD Week in Funding 💰
Dynamic Labs. $13.5 million. Non-custodial wallet tools for developers the ability to incorporate FaceID and TouchID into web3 wallet design.
Andalusia Labs. $48 million. Technology solutions addressing the blockchain security. Risk management infrastructure for digital assets.
Lolli. $8 million. Rewards app that allows users to earn bitcoin and cash back rewards when shopping at over 25,000 stores.
If you like us, if you don't like us .. either ways do tell us✌️
So long. OKAY? ✋
The Token Dispatch is a daily newsletter that takes you on a 4-5 minute drive through the wild west of the Crypto World. Daily in your email inbox @13:00 GMT. Almost always.