SlowMist: Analysis of the Ledger Connect Kit Security Breach

According to intelligence from the SlowMist security team, on the evening of December 14, 2023, Beijing time, Ledger Connect Kit fell victim to a supply chain attack, with attackers making a profit of at least $600,000.

The SlowMist security team promptly intervened for analysis and issued a warning:

The incident has been officially resolved at present, and the SlowMist security team is now sharing the emergency information as follows:

Timeline：

At 7:43 PM, Twitter user @g4sarah reported a potential front-end hijacking of the DeFi asset management protocol Zapper.

At 8:30 PM, Sushi's Chief Technology Officer, Matthew Lilley, issued a warning on Twitter: “Please do not interact with any dApps until further notice. A common Web3 connector (a JavaScript library that is part of the web3-react project) appears to have been compromised, allowing for the injection of malicious code affecting numerous dApps.” Subsequently, he mentioned that Ledger might have suspicious code. The SlowMist security team promptly stated that they were following up and analyzing the incident.

At 8:56 PM, Revoke.cash posted on Twitter, stating: “Several popular crypto apps that integrate with the Ledger Connect Kit library (including Revoke.cash) have been compromised. We have temporarily shut down the website. We advise not to use any crypto websites during this vulnerability exploitation period.” Subsequently, the cross-chain DEX project Kyber Network also mentioned that, as a precaution, they had disabled the frontend UI until the situation becomes clear.

At 9:31 PM, Ledger also issued a reminder: “We have identified and removed the malicious version of the Ledger Connect Kit. We are currently pushing the genuine version to replace the malicious files. Do not interact with any dApps temporarily. We will notify you of any updates. Your Ledger device and Ledger Live have not been compromised.”

At 9:32 PM, MetaMask also issued a warning: “Before executing any transactions on the MetaMask Portfolio, ensure that the Blockaid feature is enabled in the MetaMask extension.”

MistTrack Analyst

Drainer customer: 0x658729879fca881d9526480b82ae00efc54b5c2d

Drainer fee address: 0x412f10AAd96fD78da6736387e2C84931Ac20313f

According to MistTrack analysis, the attacker (0x658) has profited at least $600,000 and is associated with the phishing group Angel Drainer.

The primary attack method of the Angel Drainer group involves social engineering attacks against domain service providers and their staff. For more information, you can read the Dark “Angel” - Unveiling the Angel Drainer Phishing Group.

As of now, Angel Drainer (0x412) holds assets worth nearly $363,000.

According to SlowMist Threat Intelligence Network, the following findings have been discovered:

• IPs: 168...46, 185...167

• The attacker has exchanged some ETH for XMR.

At 11:09 PM, Tether froze the address of the Ledger vulnerability exploiter. Additionally, MistTrack has blacklisted the related addresses and will continue monitoring fund movements.