Ledger to reimburse library exploit victims by February
Hardware crypto wallet maker Ledger plans to make defi participants whole by covering approximately $600,000 in digital assets stolen during a Dec. 14 incident.
The company acknowledged many crypto users were affected by a connector kit exploit targeted at the front end of EVM dapps. These decentralized platforms included exchanges and web3 tools like Revoke.cash, although the number of affected users was either unknown or undisclosed.
Ledger said it would reimburse all exploit victims by February, including non-customers. The wallet provider also highlighted an action plan to deactivate blind signing, which supposedly aided the attacker’s efforts and facilitated crypto theft.
We are announcing that by June 2024, users will no longer be able to Blind Sign with Ledger devices. Our commitment is to work with the community and DApp ecosystem to allow Clear Signing so users can verify all transactions on Ledger devices before signing.
Ledger on X
According to Ledger CEO Pascal Gauthier, on Dec. 14, a phishing scammer connected to the Angel Drainer hacker leveraged compromised Github access to publish malicious code. This code was broadcast to a widely used web3 library employed by dapps like SushiSwap.
The general sentiment from crypto participants on social media suggested that the impact was minimal, although losses could have been devastating since the WalletConnect build was used in a web of defi platforms.
Following the incident and on-chain investigations traced back to Angel Drainer, stablecoin operator Tether froze the hacker’s address amid ERC-20 transactions seemingly meant to launder stolen funds.
Gauthier’s wallet creator has been embroiled in controversy during the year. Customers also lost thousands in Bitcoin (BTC) and Ether (ETH) due to a fake version of its service on Microsoft’s App Store.
The wallet manufacturer received backlash for its recovery service, which offered a means to regain access even if a user lost their secret seed phrase.