CryptoMediaClub
Monday, July 28, 2025
  • All news
  • Bitcoin
  • Ethereum
  • Altcoins
  • NFT
  • Blockchain
  • Analysis
No Result
View All Result
  • All news
  • Bitcoin
  • Ethereum
  • Altcoins
  • NFT
  • Blockchain
  • Analysis
No Result
View All Result
CryptoMediaClub
No Result
View All Result
Home All news

How the Ledger Connect hacker tricked users into making malicious approvals

15.12.2023
A A
0
121
VIEWS
ShareShare

The Ledger hacker who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.

According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager JavaScript (NPMJS) account.

Once they gained access, they uploaded a malicious update to Ledger Connect’s GitHub repo. Ledger Connect is a commonly used package for Web3 applications.

Some Web3 apps upgraded to the new version, causing their apps to distribute the malicious code to users’ browsers. Web3 apps Zapper, SushiSwap, Phantom, Balancer and Revoke.cash were infected with the code.

As a result, the attacker was able to siphon away at least $484,000 from users of these apps. Other apps may be affected as well, and experts have warned that the vulnerability may affect the entire Ethereum Virtual Machine (EVM) ecosystem.

How it could have happened

Speaking to Cointelegraph, Cyvers CEO Deddy Lavid, chief technology officer Meir Dolev and blockchain analyst Hakal Unal shed further light on how the attack may have occurred.

According to them, the attacker likely used malicious code to display confusing transaction data in the user’s wallet, leading the user to approve transactions they didn’t intend to.

When developers create Web3 apps, they use open-source “connect kits” to allow their apps to connect with users’ wallets, Dolev stated. These kits are stock pieces of code that can be installed in multiple apps, allowing them to handle the connection process without needing to spend time writing code. Ledger’s Connect Kit is one of the options available to handle this task.

When a developer first writes their app, they usually install a connect kit through a node package manager. After creating a build and uploading it to their site, their app will contain the connect kit as part of its code, which will then be downloaded into the user’s browser whenever the user visits the site.

According to the Cyvers team, the malicious code inserted into the Ledger Connect Kit likely allowed the attacker to alter the transactions being pushed to the user’s wallet. For example, as part of the process of using an app, a user often needs to issue approvals to token contracts, allowing the app to spend tokens out of the user’s wallet.

The malicious code may have caused the user’s wallet to display a token approval confirmation request, but with the attacker’s address listed instead of the app’s address. Or, it may have caused a wallet confirmation to appear that would consist of difficult-to-interpret code, causing the user to confusedly push “confirm” without understanding what they were agreeing to.

An example of a Web3 token approval. Source: MetaMask

Blockchain data shows that the victims of the attack gave very large token approvals to the malicious contract. For example, the attacker drained over $10,000 from the Ethereum address 0xAE49C1ad3cf1654C1B22a6Ee38dD5Bc4ae08fEF7 in one transaction. The log of this transaction shows that the user approved a very large amount of USD Coin (USDC) to be spent by the malicious contract.

Token approval by exploit victim. Source: Etherscan

This approval was likely performed by the user in error because of the malicious code, said the Cyvers team. They warned that avoiding this kind of attack is extremely difficult, as wallets do not always give users clear information about what they are agreeing to. One security practice that may help is to carefully evaluate each transaction confirmation message that pops up while using an app. However, this may not help if the transaction is displayed in code that is not easily readable or is confusing.

Related: ConsenSys exec on MetaMask Snaps security: ‘Consent is king’

Cyvers claimed that its platform allows businesses to check contract addresses and determine whether these addresses have been involved in security incidents. For example, the account that created the smart contracts used in this attack was detected by Cyvers as having been involved in 180 security incidents.

Cyvers’ security platform. Source: Cyvers

While Web3 tools in the future could allow attacks like these to be detected and thwarted in advance, the industry still has “a long way to go” in solving this problem, the team told Cointelegraph.

Share9Tweet6ShareSharePin2

Related Posts

Crypto Lender Divine Uses Iris-Scanning World ID to Disburse 30,000 Unsecured Loans
All news

Crypto Lender Divine Uses Iris-Scanning World ID to Disburse 30,000 Unsecured Loans

28.07.2025
0

San Francisco-based crypto lender Divine Research is extending thousands of unsecured loans to borrowers across the globe, verified not through...

Read moreDetails
Metaplanet Buys 780 More Bitcoin, Total Now Over 17,000 BTC

Metaplanet Buys 780 More Bitcoin, Total Now Over 17,000 BTC

28.07.2025
South Korean Crypto Exchanges Paid Customers $87M in Interest in Past Year

South Korean Crypto Exchanges Paid Customers $87M in Interest in Past Year

28.07.2025
Tyler Winklevoss Says JPMorgan Halted Gemini Onboarding Over Public Criticism

Tyler Winklevoss Says JPMorgan Halted Gemini Onboarding Over Public Criticism

28.07.2025
Ripple’s Chris Larsen Still Holds 2.58B XRP, Analyst Warns of Potential Sell Pressure

Ripple’s Chris Larsen Still Holds 2.58B XRP, Analyst Warns of Potential Sell Pressure

27.07.2025
Load More
Next Post
Don't get excited about Fed 'dovishness' — another rate hike is in the cards

Don't get excited about Fed 'dovishness' — another rate hike is in the cards

0 0 votes
Рейтинг статьи
Subscribe
Notify of
guest
guest
0 комментариев
Oldest
Newest Most Voted
Inline Feedbacks
View all comments

Recommended

Arbitrum: Could this NFT Proposal be a Game-changer for the Network? 

2 years ago
Ethereum poised for $3,000 with regulatory tailwinds and ETF demand

Ethereum poised for $3,000 with regulatory tailwinds and ETF demand

4 weeks ago
Bitcoin outlook brightens as whales accumulate and Binance stablecoin reserves surge

Bitcoin outlook brightens as whales accumulate and Binance stablecoin reserves surge

5 months ago
CFTC Chair Rostin Behnam Expresses Optimism For Potential Upcoming Crypto Legislation

CFTC Chair Rostin Behnam Expresses Optimism For Potential Upcoming Crypto Legislation

9 months ago

Categories

  • All news
  • Altcoins
  • Analysis
  • Bitcoin
  • Blockchain
  • Ethereum
  • NFT
No Result
View All Result

Highlights

Tyler Winklevoss Says JPMorgan Halted Gemini Onboarding Over Public Criticism

Ripple’s Chris Larsen Still Holds 2.58B XRP, Analyst Warns of Potential Sell Pressure

Solana Price Prediction: SOL Breaks Key Resistance – What This Means for Future Gains

Bitwise CIO Bets on Bitcoin Rally in 2026, Defying 4-Year Cycle

Ethereum Price Prediction: ETFs Log 17-Day Inflow Streak – Is a Supply Shock Coming?

Bitcoin Price Prediction: Satoshi-Era Whale Exit Fuels Volatility — What’s Next?

Trending

Crypto Lender Divine Uses Iris-Scanning World ID to Disburse 30,000 Unsecured Loans
All news

Crypto Lender Divine Uses Iris-Scanning World ID to Disburse 30,000 Unsecured Loans

28.07.2025
0

San Francisco-based crypto lender Divine Research is extending thousands of unsecured loans to borrowers across the globe,...

Metaplanet Buys 780 More Bitcoin, Total Now Over 17,000 BTC

Metaplanet Buys 780 More Bitcoin, Total Now Over 17,000 BTC

28.07.2025
South Korean Crypto Exchanges Paid Customers $87M in Interest in Past Year

South Korean Crypto Exchanges Paid Customers $87M in Interest in Past Year

28.07.2025
Tyler Winklevoss Says JPMorgan Halted Gemini Onboarding Over Public Criticism

Tyler Winklevoss Says JPMorgan Halted Gemini Onboarding Over Public Criticism

28.07.2025
Ripple’s Chris Larsen Still Holds 2.58B XRP, Analyst Warns of Potential Sell Pressure

Ripple’s Chris Larsen Still Holds 2.58B XRP, Analyst Warns of Potential Sell Pressure

27.07.2025
  • All news
  • Altcoins
  • Bitcoin
  • Blockchain
  • Ethereum
  • NFT
  • Analysis
Editor: cryptomediaclub.com@gmail.com
Advertising: digestmediaholding@gmail.com

Disclaimer: Information found on CryptoMediaClub is those of writers quoted. It does not represent the opinions of CryptoMediaClub on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoMediaClub covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.

© 2023 Crypto News. All Rights Reserved

No Result
View All Result
  • All news
  • Bitcoin
  • Ethereum
  • Altcoins
  • NFT
  • Blockchain
  • Analysis

Disclaimer: Information found on CryptoMediaClub is those of writers quoted. It does not represent the opinions of CryptoMediaClub on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoMediaClub covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.

© 2023 Crypto News. All Rights Reserved

wpDiscuz