Having accessed the former employee’s account, the attackers spread an infected version of the Ledger Connect Kit. This compromised version used a rogue WalletConnect project to divert funds from Ledger users to the attackers’ wallets. The malicious code was active for about five hours, with cryptocurrency theft occurring over two hours. Crypto-researcher ZachXBT estimates the loss to be over $600,000. Ledger has committed to assisting the victims in recovering their funds and confirmed that the attack was limited to third-party apps using the Ledger Connect Kit.
Ledger claims that it is typically impossible for an ex-employee to distribute malicious software versions. New versions are supposed to be reviewed by multiple parties before release. Additionally, employees leaving the company should lose access to Ledger systems. However, Ledger has not explained why these protocols failed, describing it as an ‘isolated incident’. They have since rolled out a clean version of the Ledger Connect Kit and updated the ‘secrets’ for distributing code through Ledger’s GitHub.