Crypto wallet manufacturer Ledger has confirmed an exploit that led it to warn users to “stop using dapps” started because a former employee fell for a phishing scam.

The former employee’s name and email address showed up in the compromised code. Initially the crypto community took it to mean that the developer himself was responsible for the exploit, but Ledger later confirmed the attack began because “a former Ledger employee fell victim to a phishing attack.”

The attacker was able to gain access to the former employee’s NPMJS account—a package manager for the JavaScript programming language. Packages are libraries that developers can use to build projects, rather than coding everything from scratch. In the Web3 community, developers use packages to make their decentralized apps accessible from different wallets.

Once the exploiter had access to NPMJS, they pushed a malicious version of the Ledger Connect Kit. Any project that was using Connect Kit would have contained malicious code that could reroute a users’ funds to a hacker wallet. The impacted versions of the Connect Kit are 1.1.5, 1.1.6, and 1.1.7—all of which have since been removed from the Ledger’s NPM page.


“Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware,” the company said in a statement shared with Decrypt. “The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours.”

Ledger now says it has pushed a new version of the Connect Kit (1.1.8) and all wallets that use it will be updated automatically. But it cautioned that users should still wait 24 hours before trying to connect to a decentralized app.

“The sheer amount of repositories on GitHub alone that rely on connect-kit-loader suggests that the damage done to the crypto supply chain could be significant unless the developers using this package exercise proper hygiene for consumption,” Ilkka Turunen, Field CTO of cybersecurity firm Sonatype, told Decrypt.

The exploit has caused widespread panic among the industry.


“We are seriously fucked if one dev can click on a phishing link and compromise almost every meaningful app's front-end in the ecosystem,” wrote investor and advisor Aftab Hossain (better known as DCInvestor) on X (formerly Twitter). “Read that sentence again and again until we internalize how absurd and unacceptable this is.”

Meanwhile, stablecoin issuer Tether has frozen funds linked to the wallet used by an exploiter to drain $484,000 from DeFi users on Thursday morning, said Tether CEO Paolo Ardoino.

As of this writing, the wallet had just over $27,000 worth of USDT sitting in it and $334,814 total. At one point, the wallet contained as much as $484,000. On-chain data shows that the wallet has been transferring funds to one linked to Angel Drainer. The phishing group is suspected to have been involved in a number of other DeFi hacks.

The stolen assets also contain a Doodle NFT, last priced at 3.9 ETH, that’s since been marked for “suspicious activity” on OpenSea.

Drainers work by convincing users to approve a transaction that secretly gives the hacker access to other funds in their wallet. The drainers themselves, which have all kinds of creative names, get rented out to hacking groups and the original devs take a cut of the illicit gains.

Edited by Guillermo Jimenez.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.