Malicious Attack on Ledger’s Connect Kit Exposes Users to Fund Draining Scam

On December 14, a security breach impacted the front end of various decentralized applications (DApps), including prominent platforms like Zapper, SushiSwap, Phantom, Balancer, and, all of which utilize Ledger’s connector. Following the discovery of the breach, Ledger promptly took action to replace the compromised file with the authentic version, as reported approximately three hours later at 1:35 pm UTC.

In response to the incident, Ledger is urging users to exercise caution and emphasizes the importance of “Clear Sign” for transactions. The company underscores that the legitimacy of addresses and information is verified through the Ledger screen, urging users to halt any transaction if disparities arise between the information displayed on the Ledger device and the computer or phone screen. Heightened vigilance is advised to ensure the security of users’ transactions and assets in the wake of this event.

About the Attack

– Ledger, a crypto hardware wallet maker, released a new version of its “@ledgerhq/connect-kit” npm module.

– Malicious code, pushed by unidentified threat actors, led to the theft of over $600,000 in virtual assets.

– The compromise resulted from a former employee falling victim to a phishing attack, granting access to Ledger’s npm account.

– Attackers uploaded three malicious versions of the module (1.1.5, 1.1.6, and 1.1.7), causing a software supply chain breach.

– The rogue code used a fake WalletConnect project to redirect funds to a hacker-controlled wallet.

– Connect Kit enables the connection of decentralized applications (DApps) to Ledger’s hardware wallets.

– Version 1.1.7 contained a wallet-draining payload for unauthorized transactions, transferring assets to an actor-controlled wallet.

– Versions 1.1.5 and 1.1.6 downloaded a secondary npm package (2e6d5f64604be31) acting as a crypto drainer.

– As of now, the compromised module is still available for download. 

Way to handle this scams : Top 7 Ways To Recover Funds From Crypto Currency Scam

Acknowledgement by Ledger

Ledger has acknowledged the vulnerability in its code and taken swift action to address the issue. The company confirmed the removal of a malicious version of the Ledger Connect Kit and assured users that a genuine version is currently being deployed to replace the compromised file. This proactive response is aimed at restoring the security and integrity of the Ledger Connect Kit, underscoring the commitment to safeguarding user assets and information.


The recent security breach involving Ledger’s Connect Kit underscores the persistent threats faced by users in the cryptocurrency space. The discovered malware’s deceptive tactics highlight the evolving strategies of cybercriminals who exploit open-source ecosystems for financial gain. Ledger’s swift response in removing the malicious versions and releasing updates is commendable, emphasizing the importance of vigilant cybersecurity practices. Users are reminded to exercise caution, adhere to recommended security measures, and stay informed about potential vulnerabilities to safeguard their digital assets in an ever-evolving threat landscape. This incident serves as a critical reminder for both developers and users alike to prioritize security and adopt proactive measures in the dynamic realm of decentralized applications.

Categorized in: