As you tumble down the Bitcoin rabbit hole, one of your first steps is to get your coins off exchanges and hold your keys. Many of us, lured by the promise of self-custody and the simplicity of a thumb drive, entrusted our Bitcoin riches to Ledger wallets.
These affordable devices, once the go-to for security and convenience, now sit in drawers, their contents a constant source of anxiety. While Ledger’s iconic brand, logo and devices still carry a familiar ring, the past few years have been a PR nightmare, with each controversy prompting a fresh wave of users to migrate their precious coins elsewhere.
The Ledger data leak was the final straw for many. Private information, including email addresses and purchase histories, lay bare on the dark web. While the company assures us that keys remain secure, the breach of trust in the brand was shattered with the launch of Ledger Recover.
Recently Ledger hit the headlines again with users unhappy with the amount of tracking found in the Ledger Live software that comes bundled with wallets, freaking a few users out, but that has gone quiet over the last few days. But just when you thought it was safe to plug in your Ledger and generate some receive addresses for your next round of deposits, another round of FUD starts circulating, causing people to panic.
The recent Legeder hack has sent shockwaves through the crypto space, leaving many Dapp users wondering if their funds are safe. While Ledger hardware wallets remain secure, a supply chain attack compromised software used by various DeFi protocols, draining user wallets.
But you don’t care about those people; you care about your Bitcoin. So, are the funds on your Ledger wallet at risk? Let’s look at what this hack involves, how it works and what your next steps could be.
What is Ledger Connect?
To give you some background, the hack centres around Ledger Connect; this DApp Connect Kit lets you connect your DApps to Ledger hardware wallets so you can sign live transactions as you would with a hot wallet.
- Ledger Extension: makes it easy to connect your Nano directly from your browser and includes an advanced mechanism to verify the security of the DApp. See Web3 Check.
- Ledger Live is a mobile and desktop application working as a hardware wallet synchronisation manager and allowing Ledger users to buy, swap, grow, and manage their digital assets from the security of their hardware wallet.
Ledger Connect offers a library that app developers and wallets can integrate into their code base to allow Ledger users to access their services. Unfortunately, this code library was compromised, meaning users who granted access to their wallets via Ledger Connect had also granted access to a hacker with a draining wallet.
What is a supply chain attack?
According to Ledger, the compromised code was not a bug or a mistake but rather an inside job known as a supply chain attack. It’s when a malicious entity inserts itself between you and the trusted source providing the functionality you’re using. Supply chain attacks need not be physical where the device firmware is compromised — they can also attack the actual delivery of code executed on your device.
The Ledger hack explained
The code had been in the Ledger Connects library for some time, but the news of the attack only broke on Thursday, 14 February 2023. When multiple Ethereum-based applications, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash were compromised.
Users who thought their funds were SAFU because the keys are held on a separate device in a secure element found out that despite being a better option than a hot wallet, it can still expose you if misused.
Anyone who used an app that loaded the Ledger Connect Kit would have had malicious code loaded into the app. Early reports indicate the malicious code creates a fake “Ledger” entry on the pop-up where you select your wallet. It may also make signature request pop-ups in a browser wallet to approve sending funds to the attacker’s account. To be clear, you can be at risk even if you aren’t using a Ledger device.
Ledger responded quickly by stating that users should revoke any access to their wallets and avoid using Ledger Connect until the new library is released. While funds were drained from several users’ wallets, some of them could be “recovered” from the hacker since they are issued assets. Tether, the largest stablecoin issuer, announced it froze the explorer’s address hours after the hack.
To summarise, this attack required several steps to execute, starting with an inside job.
- Phishing: A former Ledger employee fell victim to a phishing attack, granting hackers access to their NPMJS account where the malicious code was inserted.
- Supply Chain Attack: Hackers compromised the code behind a “Connect Kit” used by various DeFi platforms and wallets. This kit allows users to connect their wallets to dapps when users need to perform transactions, a request to sign with your keys can be pushed through.
- Dapp Integration: The compromised code triggered a “token drainer” when users connected their Ledger wallets via a pop-up within certain DeFi dapps.
- Impact: While the amount stolen is unclear, some reports estimate losses exceeding $150,000, while others claim the damages have reached well over $500,000.
What does this mean for you?
If you’ve only been using Ledger to store your Bitcoin and haven’t touched your wallet in a while, you’re pretty much in the clear, and it should be smooth sailing for you.
Affected users are only those who have installed Ledger wallet apps to manage altcoin chains and then used Ledger connect to tether their signing device to popular hot wallets like MetaMask or Phantom, but in truth, any wallet that supports Ledger connect would be compromised at the time, since they all use the same library.
While the hack seemed to have been contained to Ethereum users and apps, it could have also been applied to other altcoin chains. If you’re using your Ledger to connect to side chains like Rootstock via Metamask, you will also be at risk of having your wallet drained.
If you do take part in DEFI apps and you use Ledger connect, ensure that you take the following actions.
- Immediate Action: If you used your Ledger with any DeFi platform within the last few days, immediately revoke permissions for all connected dapps.
- Clear Sign: When signing transactions with your Ledger, always use the “Clear Sign” feature to verify the specific action you’re authorising.
- Increased Vigilance: Be cautious of pop-up prompts and double-check the legitimacy of dapps before connecting your wallet.
- Ledger Update: Ledger is actively patching the vulnerability and urges users to update their Ledger Live software to the latest version.
- Migrate your wallet: If you’re unsure how to action any of this but feel you might be at risk, your other option would be to generate a new set of keys and migrate your funds to this new wallet.
Is Ledger safe?
This hack is not only isolated to Ledger; it could happen to any EVM wallet on any EVM chain leveraging 3rd party libraries to connect to apps.
Ledger hardware wallets themselves haven’t been compromised; if you’ve generated a set of keys and stored it on your device but don’t interact with it much apart from creating new receive addresses or sending funds from Ledger Live or your preferred wallet, you’re in the clear. Their secure element technology isolates private keys, making them resistant to direct attacks.
While many users acquire Ledger wallets so that they can manage several altcoins from a signing device, if you’re a Bitcoiner who doesn’t engage in altcoin speculation, you should have nothing to worry about.
Supply chain vulnerability
This hack highlights the vulnerability of third-party software integrations. Users must be vigilant about which apps they connect their wallets to and avoid signing directly from their Ledger; rather, keep it as a separate environment.
While it might be costly to move funds from Ledger to your browser wallet, it can be much cheaper than seeing your entire wallet drained.
Chase yield gets you killed on the battlefield
The Ledger hack is a stark reminder that you could be at risk whenever you trust software and sign without checking what you’re doing. While Ledger hardware wallets remain secure, vigilance and informed user behaviour are essential for protecting your assets.
A single-signature hot wallet might be better than leaving your funds in an exchange, but it doesn’t mean that it is safe to speculate on DEXs and apps. As long as your keys are hot, you are always at risk.
If every time you sign in to a new dapp and grant permission with your wallet, things go smoothly, you won’t notice the one time when things don’t, and you might sign over rights to your funds. If you want to play around with apps to try and chase yield, know that you could be putting even the funds you’re not using at risk.
Is it time to use Ledger disconnect?
If this was enough to put you off Ledger, consider your current keys compromised and move to a new device where you’ve set up a wallet. It may cost you an extra to purchase a new device and pay for those mining fees, but it could be the cheaper option for you in the long run.
Remember, Where there is smoke, there is fire.
Do your own research.
If you want to learn more about the Ledger hack, use this article as a jumping-off point and don’t trust what we say as the final say. Take the time to research, check out their official resources below or review other articles and videos tackling the topics.