A Night of Terror Analysis of the Ledger Connect Kit Security Incident

An Analysis of the Ledger Connect Kit Security Incident A Nightmare Unveiled

On December 14, 2023, according to the Beosin EagleEye security perception platform, a large number of decentralized applications had their user assets stolen due to maliciously implanted libraries using Ledger hardware wallets. The hackers profited over $600,000. The Beosin security team immediately conducted an analysis of the incident, and the results are as follows.

Connect-kit Introduction

Connect-kit is a Javascript library for Ledger that allows users to connect their Ledger devices to third-party DApps. Library link address: https://www.npmjs.com/package/@ledgerhq/connect-kit

[Vulnerability Analysis]

• An Ultimate Analysis of Binance Launchpool Wealth Code
• Chainalysis Suspected stolen at least $374 million in targeted phishing scams approved by 2023
• Scorpion Casino Hits $2.2 Million Jackpot as Investors Flock to Secure Passive Income.

The reason for this incident is that a former Ledger employee fell victim to a phishing attack, and Ledger did not revoke the employee’s code access permission. As a result, the attacker gained access to the employee’s NPMJS account. Subsequently, the attacker released malicious versions of Ledger Connect Kit (affected versions are 1.1.5, 1.1.6, and 1.1.7).

[Attack Process]

Four months ago, the attacker had already released the malicious version 1.1.5 of Ledger Connect Kit. Two months ago, they released the malicious versions 1.1.6 and 1.1.7 through a CDN, using the malicious code to transfer users’ funds to specified hacker wallet addresses.

[Follow the Money]

Currently, the hacker’s fund address (0x658729879fca881d9526480b82ae00efc54b5c2d) has been flagged as Ledger Exploiter by EagleEye. Users can monitor it in real-time on the EagleEye website:
Link: https://eagleeye.sLianGuaice/address/0x658729879fca881d9526480b82ae00efc54b5c2d

This attack involves multiple public blockchains. The hacker transferred assets from numerous users on Ethereum, BNB Chain, Arbitrum, Base, Fantom, and other networks, earning over $600,000.

According to Beosin’s trace query, as of the time of publication, some of the stolen funds on Ethereum have been sent to the Fake_Phishing268838 phishing address:
0x1b9f9964a073401a8bc24f64491516970bb84e47
The rest is still held in the attacker’s address (due to the large number of token types, the following image only displays partial information).

[KYT Anti-Money Laundering Analysis Platform]

All stolen funds on the BSC chain are currently held in the attacker’s addresses:

This incident involved a large number of users being stolen on various public blockchains. Here, we only show the stolen situation on Ethereum and BSC.

[Security Recommendations]

This incident once again highlights the importance of supply chain security. In Web3 security, supply chain security is often overlooked by developers and security teams. However, hackers can implant malicious code in various aspects of the software supply chain, stealing user information and digital assets, and conducting large-scale attacks.

Beosin’s suggestions for preventing such security incidents are as follows:

1. When choosing and using third-party software or components, it is necessary to conduct security reviews and verification. Understand the third party’s security standards and practices to ensure that the software has not been tampered with or implanted with malicious code.

2. Adopt secure development practices, such as using secure coding standards, code reviews, vulnerability scanning, and security testing, to ensure that the software is always in a secure state during the development process.

3. Apply security updates and patches released by software vendors in a timely manner to fix known vulnerabilities and defects. Keep the software up to date to reduce the risk of being attacked.

4. Adopt a multi-layered security defense strategy, including network security, endpoint security, and data security, etc. Use intrusion detection systems, endpoint security software, and data encryption measures to enhance the security of the entire software supply chain.

5. Establish monitoring and response mechanisms to detect abnormal activities and potential supply chain attacks in a timely manner, and take appropriate response measures, such as isolating infected code repositories, fixing vulnerabilities, and restoring data.

6. Provide employee training and awareness enhancement to enable them to recognize social engineering attacks and supply chain attacks, and take appropriate preventive measures, such as being vigilant against phishing emails, not downloading attachments indiscriminately. The permissions of the development team’s employees need to be updated in a timely manner, and the handover of code permissions should be transparent and clear.

Beosin, as a leading global blockchain security company, has established branches in more than 10 countries and regions worldwide. Its business covers code security audits before project launch, security risk monitoring, early warning and interception during project operation, recovery of stolen cryptocurrency assets, secure compliance KYT/AML, and other “one-stop” blockchain security products + services. The company is committed to the secure development of the Web3 ecosystem and has provided blockchain security technology services to more than 3,000 enterprises worldwide, including HashKey Group, Amber Group, BNB Chain, etc. It has audited over 3,000 smart contracts and public chain mainnets, including LianGuaincakeSwap, Ronin Network, OKCSwap, etc.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!