Metamask and others warn that virtual currency may be illegally leaked from a wide range of Ledger-compatible dApps

Was over 68.6 million yen stolen?

Ledger, a crypto asset (virtual currency) wallet company, announced on the 14th that some of its services had been fraudulently used.

This could potentially result in assets being stolen from a wide range of decentralized apps (dApps) that support Ledger wallets.Lookonchain, which analyzes blockchain, announced that as of 11:44 p.m. on the 14th, more than $480,000 (68.6 million yen) worth of virtual currency had been stolen.reportdid.

A message from our CEO @_pgauthier regarding the Ledger Connect Kit exploit: https://t.co/mqlTQOUwD5 https://t.co/Ee4ZhN8rYK

— Ledger (@Ledger) December 14, 2023

After Ledger became aware of the issue, it responded immediately and said it has already stopped the malicious files used by the attackers. The company said it is contacting affected users to help them recover their assets and is cooperating with law enforcement.

The company also said it is working with partner companies such as Chainalysis and Tether. He also explained that he had already tracked down the attacker’s address and froze the stablecoin USDT.

After the issue occurred, the company immediately issued a warning to people to be wary of phishing attacks and scams. He also warned people not to share their 24-word secret phrase with anyone.

The company also said there are no issues with Ledger devices or the Ledger Live app.

Examples of app support

This time, the attack appears to have had a far-reaching impact, as a well-known wallet company called Ledger was attacked.

SushiSwap, a DEX (decentralized exchange), also issued a warning to users on the 14th regarding this issue, telling them not to connect if an unexpected wallet connection pop-up appears after opening the SushiSwap page.

SushiSwap later explained that it had removed the malicious Ledger connector.Already the website is back onlinereportare doing.

On the other hand, major Uniswap has not introduced the Ledger connector, so it is not affected.

Uniswap Labs devs live and breathe user security

In september, we received a community PR to support ledger connect, and @jordanfrankfurt decided not to approve it because of the package distribution model https://t.co/51ktzF29M2

— hayden.eth (@haydenzadams) December 14, 2023

Wallet Metamask also issued an X warning to users. At 4:18 on the 15th, Ledger announced that the issue had been resolved.report. On the other hand, he also said that it is recommended to wait 24 hours before using dApps that use Ledger’s targeted features.

There are also voices saying that caution is still needed as there are differences in the compatibility of each app. It was also pointed out that it is better not to use the app until there is a clear update.

History of the problem

Ledger published CEO Pascal Gauthier’s explanation on the 15th after the issue occurred. Gauthier said the culprit was a library called Ledger Connect Kit, which implements buttons for users to connect the company’s devices with dApps.

The attackers first launched a phishing attack on a former Ledger employee and were able to upload a malicious file to the company. They released a Ledger Connect Kit that includes code that allows assets to be transferred to an attacker’s wallet.

Ledger explained that the affected Ledger Connect Kit versions are “1.1.5,” “1.1.6,” and “1.1.7.” The malicious file was active for about five hours.

Currently, they have released version 1.1.8, which resolves the issue with Ledger Connect Kit.

connection: Ledger brings forward open source plan to restore reliability

The post Metamask and others warn that virtual currency may be illegally leaked from a wide range of Ledger-compatible dApps appeared first on Our Bitcoin News.