Crypto Gloss

Ledger Hack / Connect Kit Attack

On December 14, 2023, hardware wallet company Ledger suffered one of crypto’s most technically sophisticated attacks — a supply chain compromise targeting its open-source @ledgerhq/connect-kit npm package. The attacker injected malicious JavaScript code that acted as an address-draining script on any DeFi frontend that called the library, silently redirecting user transactions to the attacker’s wallet. Approximately $600,000 in assets were drained in under two hours before Ledger deployed a fix. The incident affected some of crypto’s most reputable frontends including Zapper, SushiSwap, Revoke.cash, and others — demonstrating that hardware wallets cannot protect against malicious dApp frontends.

What Is Ledger ConnectKit?

ConnectKit is an open-source JavaScript library that DeFi protocols and dApps use to display the “Connect Wallet” UI — the modal that allows users to select Ledger, MetaMask, Rainbow, WalletConnect, and other wallet options when interacting with a DeFi frontend. It is widely imported by hundreds of web3 applications via the npm package registry.

How the Attack Occurred

  1. Social engineering — ex-employee phishing: A former Ledger employee fell victim to a phishing attack, compromising their npm account credentials
  2. Malicious package upload: The attacker used those credentials to publish a malicious version of @ledgerhq/connect-kit to npm — versions 1.1.5, 1.1.6, and 1.1.7
  3. The payload: The malicious code included a crypto drainer — code that, when users connected wallets through the compromised frontend, replaced legitimate contract addresses with attacker-controlled addresses OR prompted users to sign unlimited token approvals disguising them as normal transactions
  4. Execution window: From approximately 09:44 AM UTC to 12:35 PM UTC — about 2 hours and 50 minutes before Ledger deployed a clean version (1.1.8) and pinned future versions

Affected Platforms

Any dApp using @ledgerhq/connect-kit with CDN-loaded or dynamically resolved packages during the attack window was affected. Confirmed affected:

  • Zapper
  • SushiSwap
  • Revoke.cash
  • Balancer
  • Multiple smaller protocols

Protocols that hard-pinned specific versioned packages in their package.json and bundled them (no live CDN loading) were NOT affected.

Damage

  • ~$600,000 drained from users interacting with compromised frontends
  • Victims included one reported six-figure single-address draining
  • Tether froze the USDT portion of the stolen funds ($44,000) within hours on request
  • Ledger offered to reimburse affected users

Key Lessons

  1. Hardware wallets don’t protect against malicious frontends: A Ledger signing a transaction initiated by a malicious dApp provides no protection — the user signs what they see on the screen, which can be manipulated
  2. Supply chain attacks are high-leverage: One compromised npm account → hundreds of vulnerable frontends
  3. CDN-loaded JS is a risk: Protocols that dynamically load external JS (vs. bundling at build time) are exposed to this attack vector
  4. Revoke approvals regularly: Unlimited token approvals granted before an attack compounds losses

Ledger’s Response

Ledger published a post-mortem, offered reimbursement to affected users (in LDG tokens), and implemented enhanced npm access controls (multi-factor authentication requirements on package publishing). The ex-employee was identified and cooperated.

The Chainalysis analytics firm tracked the stolen funds; some were moved through mixing before the trail went cold.

Related Terms

Sources

  1. Ledger Post-Mortem (December 2023). “Technical Update on the December 14 Exploit.” Ledger Blog.
  1. Chainalysis (2023). “Tracking the Ledger ConnectKit Attack Funds.” Chainalysis Blog.
  1. Mudit Gupta — DeFi Security researcher (2023). “ConnectKit Supply Chain Attack Analysis.” Twitter/X thread.
  1. npm Security (2023). “Security Incident: @ledgerhq/connect-kit.” GitHub Advisory Database.
  1. Trail of Bits (2024). “Supply Chain Attacks in Web3: Lessons from ConnectKit.” Trail of Bits Blog.