Ledger posted on social media that in last week's large-scale security incident, approximately $600,000 worth of assets were affected, which were stolen from users who blind-signed on EVM DApps. Ledger will try to help affected individuals (including non-Ledger users) recover funds by the end of February 2024 and promises to work with the DApp ecosystem to allow Clear Signing. Currently, it has been decided that the use of Ledger devices for blind signing will no longer be allowed before June 2024.

Ledger officials have warned about ongoing phishing and fraud. Ledger only has two genuine social media accounts, @ledger and @ledger_support. The rest are fake accounts, and anyone asking for your 24-word recovery phrase is a criminal.

On December 15th, SlowMist founder Yu Xian posted on social media that the group that poisoned Ledger Connect Kit yesterday is related to Angel Drainer (at least using this phishing tool). Through feature analysis with Scam Sniffer, they discovered thousands of phishing websites and synchronized them to the MetaMask eth-phishing-detect repository.<br>In addition, Angel Drainer has also started using smart contracts to manage the access domain names of malicious JS files.

MetaMask stated on X platform that Ledger has resolved the current issue, but currently recommends that users wait for 24 hours before using the Ledger Connect suite to interact with dapps. After investigation, we have confirmed that MetaMask Portfolio and SDK users have never faced any risks. As a precautionary measure, we have temporarily disabled trading on the portfolio for updates.

The founder of SlowMist, Yu Xian, posted on social media regarding the Ledger vulnerability. 1. The poisoning problem of the Ledger module ledgerhq/connect-kit has been basically resolved, but the poisoned code may still be cached in the browser. If not sure, be sure to clear the browser cache (including the built-in browser cache in the wallet app); 2. Users must confirm the content of each unsigned transaction in the wallet multiple times; 3. The Ledger wallet itself is not affected; 4. The details of this supply chain attack are intriguing, and such hunters are not rare in this dark forest; 5. Tether acted in a timely manner and froze the USDT profits from phishing. In comparison, USDC continues to ignore the issue.

Several Ethereum-based decentralized applications (dapps), including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, were compromised due to a security breach at Ledger, a Paris-based crypto hardware wallet manufacturer. Ledger has fixed the malicious code and warned users to "Clear Sign" transactions to ensure they are interacting directly with the company's website and software. The extent of the damage and the amount of money lost is not yet known, but reports suggest that the exploit is widespread. The breach highlights the need for proper auditing and testing in the decentralized finance (DeFi) ecosystem, where financial software is frequently deployed without appropriate measures.

Hackers stole $484,000 by inserting malicious code into the Github library for Connect Kit, a widely-used piece of blockchain software maintained by crypto wallet firm Ledger. Several major DeFi protocols that use the library have been impacted, and users have been warned to avoid using dApps until the protocols are updated. Ledger has confirmed that an employee was targeted in a phishing attack, after which the attacker published a malicious version of the Ledger Connect Kit. To completely mitigate the risk, every protocol using Ledger's Connect Kit must manually update their version of the library.

Safe (formerly Gnosis Safe) posted on X platform stating that the Ledger Connect vulnerability has been resolved. Security has not been affected. Safe has not been affected by the vulnerability. The security application and WalletConnect function have been restored, and to enhance security, the attacker's account has been marked and labeled in the UI.

Scopescan on X platform said that the Ledger attacker is transferring funds to a new address and exchanging USDC for ETH. So far, assets totaling about $150,000 have been transferred. Previously, the address attempted to mix some ETH on the ChangeNOW platform.

Ledger has released the latest update on the vulnerability on the X platform, stating that the genuine and validated Ledger Connect Kit version 1.1.8 has now been spread and can be safely used. For builders who are developing Ledger Connect Kit code and interacting with it: the connect-kit development team on the NPM project is now read-only and cannot directly push NPM packages for security reasons.