Ledger promises to make victims whole after attack

Ledger will remove the ability to Blind Sign by June 2024

by Katherine Ross /
article-image

Artwork by Crystal Le

share

Ledger, in an update following last week’s attack, has promised to make users whole.

An attacker phished a former Ledger employee and was able to access the company’s package manager, where they uploaded a malicious code to ConnectKit. The attacker, according to Ledger, made off with $600,000.

“We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February 2024. We are already in contact with many impacted users and are actively working through the specifics with them,” the company said in a post on X.

The company will make victims whole in the wake of the attack, and is working with law enforcement to track down the hacker and recover the funds. 

Read more: Ledger says attacker conducted phishing attack on former employee

“Ledger has engaged with authorities and is doing all we can to help as this investigation unfolds. Ledger will support affected users in helping to find this bad actor, bring them to justice, track the funds and work with law enforcement to help recover stolen assets from the hacker,” CEO Paul Gauthier said last week.

Following the attack, Tether froze the attacker’s address, which was also published to Chainalysis.

The attacker’s code was active for roughly five hours. Decentralized exchange SushiSwap alongside Revoke.cash warned that they were impacted. Ledger implemented a fix later the same day.

Additionally, the company plans to end blind signing by June 2024. When signing a transaction, “blind” refers to signing without the wallet offering full visibility or understanding of the transaction details.

In posts on X following the attack, the company pushed users to only use Clear Sign on their transactions.

“In the meantime, we’d like to remind the community to always Clear Sign your transactions — remember that the addresses and the information presented on your Ledger screen is the only genuine information,” Ledger said at the time.

“Our commitment is to work with the community and dapp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing. This will lead to a new standard to protect users and encourage Clear Signing across dapps,” Ledger said Wednesday.

Ledger’s small display often requires paging through many — sometimes dozens — of screens showing encoded transaction details, which is why users often opted for blind signing.

The company warned that front-end attacks aren’t going away, so the “only foolproof countermeasure for this type of attack is to always verify what you consent to on your device…This is only possible with Clear Signing: meaning you can see and verify exactly what you sign on a secure display.”

Start your day with top crypto insights from David Canellis and Katherine Ross. Subscribe to the Empire newsletter.

Tags

Upcoming Events

Permissionless III

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

learn more

recent research

aptos cover3.jpg

Research

The Aptos Advantage: Moving at Scale

A fragmented liquidity landscape across L2s has led to newfound appreciation for predominantly monolithic L1 architectures over the past year, especially when considering qualifying capabilities like high throughput and low latency. Despite Aptos being a relatively young blockchain when compared to other L1s, a combination of design choices, network adoption, partnerships, and dApp development proves that the network is primed for breakout momentum over the coming years.

by 0xpibblez

/

news

article-image

Business

The move for an ‘undervalued’ bitcoin miner? Perhaps selling the company.

Stronghold Digital Mining’s market value compared to its peers is “hard for us to understand,” CEO says

by Ben Strack /
article-image

Policy

Nigerian court postpones another Binance case to May 17

Binance and detained exec Tigran Gambaryan may face three court appearances on May 17 after the most recent adjournment pushed another Nigerian trial back

by Katherine Ross /
article-image

Sponsored

StakeKit launches market’s most comprehensive self-custodial yield API, powering Zerion’s new Earn section

The Earn section on Zerion now offers users the ability to stake, liquid stake, restake, and earn DeFi yields

article-image

Op-Ed

Fintech has hit a wall. Blockchain will break through it.

Relatively soon, blockchain will become the only part of fintech that matters.

by Ben Mills /
article-image

Web3

Empire Newsletter: Here’s where all the crypto users really are

The number of “active users” is actually quite difficult to measure

by David Canellis&Katherine Ross&Casey Wagner /
article-image

Finance

BlackRock, Fidelity bitcoin ETFs bleed Wednesday, joining GBTC

The world’s largest asset manager sees BTC fund outflows for the first time, while the most money left Fidelity’s product

by Ben Strack /