Supply Chain Attack on Ledger Connect Kit: Analyzing the Impact and Preventive Measures

SlowMist
8 min readDec 15, 2023

Background

On the evening of December 14, 2023, in GMT+8, the Ledger Connect Kit suffered a supply chain attack, with attackers stealing at least $600,000. Our team promptly initiated a comprehensive investigation and share the following detailed analysis:

https://twitter.com/SlowMist_Team/status/1735299228866613465

Timeline

At 7:43 PM, Twitter user @g4sarah reported that the front-end of the DeFi asset management protocol Zapper appears to have been hijacked.

https://twitter.com/g4sarah/status/1735264310366990672

At 8:30 PM, Sushi’s Chief Technical Officer Matthew Lilley issued a warning on Twitter: “Users are advised not to interact with any dApp until further notice. A commonly used Web3 connector (a certain JavaScript library, part of the web3-react project) is suspected to have been compromised, allowing the injection of malicious code affecting numerous dApps.” Subsequently, he indicated that Ledger might contain suspicious code. The SlowMist security team also immediately followed up and started the investigation.

https://twitter.com/MatthewLilley/status/1735275960662921638

At 8:56 PM, Revoke.cash posted on Twitter stating: “Several popular crypto applications integrated with the Ledger Connect Kit library, including Revoke.cash, have been compromised. We have temporarily shut down our website. We recommend not using any crypto websites during the exploitation of this vulnerability.” Following this, the cross-chain DEX project Kyber Network also stated that, as a precaution, it had disabled its front-end UI until the situation was clarified.

https://twitter.com/RevokeCash/status/1735282669808717958

At 9:31 PM, Ledger also issued a reminder: “We have identified and removed a malicious version of the Ledger Connect Kit. A genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves. Your Ledger device and Ledger Live were not compromised.”

https://twitter.com/Ledger/status/1735291427100455293

At 9:32 PM, MetaMask also issued a reminder: Users should ensure that the Blockaid feature is enabled in the MetaMask extension before executing any transactions on the MetaMask Portfolio.

https://twitter.com/MetaMask/status/1735291650614653364

Impact of the Attack

The SlowMist security team immediately initiated an analysis of the relevant code. We discovered that the attackers implanted malicious JavaScript code in versions @ledgerhq/connect-kit=1.1.5/1.1.6/1.1.7. They directly replaced the normal window logic with a Drainer class, triggering not only a fake DrainerPopup popup but also handling the transfer logic for various assets. Attackers launched phishing attacks against cryptocurrency users through CDN.

Affected Version Range:

@ledgerhq/connect-kit 1.1.5: The attacker mentioned ‘Inferno’ in the code, which is speculated to refer to the phishing gang Inferno Drainer, known for multi-chain scams.

@ledgerhq/connect-kit 1.1.6: The attacker left a message in the code and implanted malicious JS code.

@ledgerhq/connect-kit 1.1.7: The attacker left a message in the code and implanted malicious JS code.

Ledger states that the Ledger wallet itself is not affected; rather, the impact is on applications that have integrated the Ledger Connect Kit library.

However, since many applications use the Ledger Connect Kit, such as SushiSwap, Zapper, MetalSwap, Harvest Finance, Revoke.cash, etc., the scope of the impact is significant.

In this attack, the attackers can execute arbitrary code with the same level of permissions as the application. For example, attackers can immediately drain users’ funds without interaction; distribute numerous phishing links to deceive users, or exploit users’ panic by convincing them to transfer assets to a new address, resulting in asset loss due to downloading a fake wallet.

https://twitter.com/Bitrace_team/status/1735310480787550392

Analysis of Attack Techniques

Above, we analyzed the impact of the attack. Based on historical incident response experience, it is speculated that this may be a premeditated social engineering phishing attack.

Based on a tweet by @0xSentry, it’s speculated that the digital footprint left by the attackers involves the Gmail account of @JunichiSugiura (Jun, a former Ledger employee). This account might have been compromised, and Ledger may have forgotten to revoke this employee’s access rights.

At 11:09 PM, it was officially confirmed that a former Ledger employee became a victim of a phishing attack:

1) Attackers gained access to the employee’s NPMJS account.

2) They released malicious versions of the Ledger Connect Kit (1.1.5, 1.1.6, and 1.1.7).

3) Through the malicious code, using a malicious WalletConnect, funds were redirected to the hacker’s wallet address.

Ledger has now released a verified and genuine version of the Ledger Connect Kit, version 1.1.8, and advises timely upgrades.

Although the poisoned versions of Ledger npmjs have been deleted, there are still compromised JavaScript files on jsDelivr:

- https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.7

- https://cdn.jsdelivr.net/npm/@ledgerhq/connect-kit@1.1.6

Due to potential delays in CDN updates, it is recommended by the official sources to wait for 24 hours before using Ledger Connect Kit.

The recommendation for project maintainers is to lock down specific versions when publishing dependencies through third-party CDN mirror sources to prevent potential harm from malicious releases and subsequent updates. (Suggested by @galenyuan)

The official team has acknowledged these suggestions, and it is expected that they will revise their strategy in the upcoming changes.

Final Timeline of Ledger

https://twitter.com/Ledger/status/1735326240658100414

MistTrack Analysis

Drainer customer: 0x658729879fca881d9526480b82ae00efc54b5c2d
Drainer fee address: 0x412f10AAd96fD78da6736387e2C84931Ac20313f

According to MistTrack analysis, the attacker (0x658) stole at least $600,000 and is linked to the phishing gang Angel Drainer.

Angel Drainer’s primary method of attack involves social engineering attacks on domain service providers and their staff. More can be read here: Cracking the Code: Unveiling the Deceptive ‘Angel Drainer’ Phishing Gang

Angel Drainer (0x412) currently holds assets worth nearly $363,000.

According to SlowMist’s threat intelligence network, the following discoveries were made:

  1. IP address 168.*.*.46,185.*.*.167
  2. The attacker has converted some of the ETH into XMR (Monero).

At 11:09 PM, Tether froze the addresses of the Ledger vulnerability exploiters. Additionally, MistTrack has blacklisted the related addresses and will continue to monitor any unusual fund movements.

Summary

The analysis in this article once again emphasizes that DeFi security is not just about contract security.

On one hand, this incident highlights the severe consequences that can result from supply chain security vulnerabilities. Malicious software and code can be implanted at various stages in the software supply chain, including development tools, third-party libraries, cloud services, and during the update process. Once these malicious elements are successfully injected, attackers can use them to steal digital assets and sensitive user information, disrupt system functionality, extort businesses, or spread malware on a large scale. It is recommended to read SlowMist’s “Web3 Industry Supply Chain Security Guide” which provides safety advice for projects in the Web3 industry, promoting a healthy, secure, and stable development of the industry.

On the other hand, attackers can obtain sensitive information such as personal identity information, account credentials, and passwords through social engineering attacks. They may also use deceptive emails, text messages, or phone calls to lure users into clicking on malicious links or downloading malicious files. Users are advised to use strong passwords that combine letters, numbers, and symbols, and to change their passwords regularly to minimize the chances of attackers guessing or obtaining passwords through social engineering tactics. Implementing multi-factor authentication also enhances account security by adding extra layers of verification (such as SMS codes, fingerprint recognition, etc.), thus increasing resilience against these types of attacks.

The SlowMist security team released the “Web3 Project Security Practice Requirements” and the “Web3 Industry Supply Chain Security Guide,” both aimed at guiding and reminding Web3 project teams of the importance of comprehensive security measures. The MistEye security monitoring system deployed by the SlowMist Security Team covers contract monitoring, front-end and back-end monitoring, vulnerability discovery and early warning, focusing on the complete security process of DeFi projects before, during, and after incidents. Project teams are welcome to use the MistEye security monitoring system to manage risks and enhance project security.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.