Ledger witnessed a security incident on December 14, 2023, affecting $600k in assets. It has now published an incident report detailing how the event played out. The incident began with one of the employees becoming a victim of a phishing attack that granted the hacker access to the NPMJS account, thereby publishing a malicious version of Ledger Connect Kit.
The incident has been resolved, and Ledger has expressed his commitment to helping affected users. Customers will be assisted by the end of February 2024. A precautionary measure has also been announced. Ledger has said that it is in talks with dApp developers to no longer allow Blind Signing. They have been asked to transition to Clear Signing. Customers will now be able to verify a transaction that they are consenting to.
By June 2024, Blind Sign will be no longer available. Clear signing will then run across the dApp ecosystem. Users have been asked to be careful about their engagement with dApps and not click on anything that looks suspicious. Customers who were affected by the incident can get in touch with the Ledger team and seek necessary corrections. Ledger devices and Ledger Live were not exposed to exploitation, and they remain safe to use, per the announcement.
The community has appreciated the team for this measure. The majority of members have stated that the adoption of Clear Signing is a significant security improvement and are hoping that no compatibility issues will arise with the update. The genuine version of the Ledger Connect Kit is currently live. It improves over the previous versions, 1.1.5, 1.1.6, and 1.1.7.
Pascal Gauthier, the Chairman and Chief Executive Officer of Ledger, was quick enough to address the concern on December 14, 2023, with a letter assuring that they were working with relevant agencies to investigate the matter and catch the criminal.
The findings of the incident report do not clarify if a single attacker was behind the incident or if more attackers were acting last week to drain assets. However, it does clarify that the malware used was Angel Drainer. It tricks users into signing different types of transactions based on the asset that is under the target.
Moving forward, Ledger has said that it will organize a specific third-party audit on code promotion, access control, and distribution. This will be on top of security training sessions, internal security programs, and generalizing code signing when it is relevant to do so.
The two most crucial reminders from Ledger for the community are not to divulge their 24-word Secret Recovery Phrase to anyone and to refuse an unidentified transaction.
The dApps ecosystem is expected to comply by removing Blind Signing and implementing Clear Signing by June 2024. Access control on Ledger will be under review by the Ledger Security and Technology teams.