Recently, Ledger, a leading cryptocurrency security solutions company, faced a significant challenge. Ledger CEO Pascal Gauthier addressed a recent “supply chain attack” that affected Ledger ConnectKit, in a statement released Thursday.
Gauthier highlighted the company’s rigorous security protocols: “At Ledger, it is standard practice that no code is deployed without a thorough review by multiple parties. We implement strong access controls, internal reviews, and a multi-signature code system, especially for most of our development. This applies to 99% of our internal systems. When an employee leaves the company, their access to all Ledger systems is immediately revoked,” he explained.
However, on that Thursday morning, an alarming incident occurred when a former employee fell prey to a phishing attack. This incident provided a hacker with access to Ledger’s package manager. To date, the details of how the former employee maintained access to the system remain unclear, and Ledger has not yet responded to a request for clarification.
Gauthier continued: “This was an unfortunate isolated incident. It is a reminder that security is an ongoing process and that we are committed to constantly improving our security systems and processes. We are implementing more stringent security controls, connecting our build pipeline that spans from rigorous software supply chain security to the NPM distribution channel.”
The CEO also revealed that Ledger will step up security around dapps that enable browser-based subscriptions. After the incident, the official Ledger account on X promoted transactions with transparent and clear signature. On the company’s website, it is explained: “With a transparent and clear signature, you receive a transformed version of the original data”, making it easier for the user to understand what they are signing.
The incident was initially reported on Thursday morning. Decentralized exchange SushiSwap was one of the first to identify the issue, suspending its front-end web app and warning users to avoid interactions with unexpected “Connect Wallet” pop-ups. Revoke.cash, which also took its front-end offline, was impacted, as reported by cybersecurity firm BlockAid.
Ledger acted quickly upon discovery of the issue, deploying genuine ConnectKit and collaborating with WalletConnect to eliminate the malicious code, all within less than 40 minutes of detection. The company indicated that the exploration was active for around 5 hours.
The views and opinions expressed by the author, or anyone mentioned in this article, are for informational purposes only and do not constitute financial, investment or other advice. Investing or trading cryptocurrencies carries a risk of financial loss.