\n<\/p>\n
Hackers compromised the code behind a crypto protocol used by multiple web3 applications and services, the software maker Ledger said on Thursday.<\/p>\n
Ledger, a company that makes a widely used and popular crypto hardware and software wallet, among other products, announced on X (previously Twitter) that someone had pushed out a \u201cmalicious version\u201d of its Ledger Connect Kit<\/a>, a library that decentralized apps (dApps) made by other companies and projects use to connect to the Ledger wallet service.<\/p>\n \u201cA genuine version is being pushed to replace the malicious file now. Do not interact with any dApps for the moment. We will keep you informed as the situation evolves,\u201d Ledger wrote.<\/p>\n Soon after, Ledger posted an update<\/a> saying that the hackers had replaced the genuine version of its software some six hours earlier, and that the company was investigating the incident and would \u201cprovide a comprehensive report as soon as it\u2019s ready.\u201d<\/p>\n Ledger spokesperson Phillip Costigan did not provide any comments beyond what the company posted on its official X account.<\/p>\n The company says it has sold six million units<\/a> of its hardware wallet, and Ledger Live, its software equivalent, is used by 1.5 million users. The Ledger hardware wallet is not believed to be affected by the hack.<\/p>\n Tal Be\u2019ery, the co-founder of crypto wallet ZenGo, told TechCrunch that the hackers essentially pushed out a malicious version of the software that was designed to trick users into connecting their wallets and assets to the malicious version of the software.<\/p>\n \t\tDo you have more information about this hack? We\u2019d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email lorenzo@techcrunch.com. You also can contact TechCrunch via SecureDrop.\t<\/p>\n That would allow the hackers to drain the crypto inside users\u2019 wallets \u2014 so long as the users accepted the push to connect their wallets to the malicious Ledger version.<\/p>\n It\u2019s not immediately clear how many people fell victim to the hack. ZachXBT, a well-known independent crypto researcher, wrote on X that one victim<\/a> had more than $600,000 in crypto drained from their account.<\/p>\n Several blockchain security researchers, as well as people who work in the web3 industry, warned users on social media of the supply chain hack against Ledger.<\/p>\n Matthew Lilley, the chief technology officer of cryptocurrency trading platform Sushi, was one of the first ones to detect the attack and share the news.<\/p>\n \u201cI would recommend never interacting with a [decentralized app] ever again and honestly just move on with your life,\u201d said Joseph Delong, the CTO of NFT lending platform AstariaXYZ, joked on X<\/a>, referring to the fact that Ledger uses the notoriously insecure programming language Java.<\/p>\n<\/p><\/div>\nContact Us<\/h4>\n