Posted on

Ledger Commits To Full Restitution For Victims Of $600,000 ConnectKit Attack

Hardware wallet manufacturer Ledger has responded to a recent security breach resulting in the theft of $600,000 worth of user assets. 

The company has pledged to enhance its security protocols by eliminating Blind Signing, a process where transactions are displayed in code rather than plain language, by June 2024.

Ledger Takes Responsibility For ConnectKit Attack

In a statement, Ledger emphasized its focus on addressing the recent security incident and preventing similar occurrences in the future. 

The company acknowledged the approximately $600,000 in assets that were impacted by the ConnectKit attack, particularly affecting users blind signing on Ethereum Virtual Machine (EVM) decentralized applications (dApps). 

Furthermore, Ledger pledged to make sure affected victims are fully compensated, including non-Ledger customers, with CEO & Chairman Pascal Gauthier personally overseeing the restitution process. 

According to the statement, Ledger has already initiated contact with affected users and is actively working with them to resolve their specific cases.

In addition, by June 2024, blind signing will no longer be supported on Ledger devices, contributing to a “new standard of user protection” and advocating for “Clear Signing,” which refers to a process that allows users to verify transactions on their Ledger devices before signing them across dApps.

On this matter, Ledger’s CEO Pascal Gauthier stated

My personal commitment: Ledger will dedicate as much internal and external resources as possible to help the affected individuals recover their assets.

Heightened dApp Security Measures

According to an incident report released by the hardware wallet manufacturer, the attack exploited the Ledger Connect Kit, injecting malicious code into dApps utilizing the kit. 

This malicious code redirected assets to the attacker’s wallets, tricking EVM dApp users into “unknowingly signing transactions” that drained their wallets. 

Ledger addressed the attack by deploying a genuine fix for the Connect Kit within 40 minutes of detection. The compromised code remained accessible for a limited time due to the nature of content delivery networks (CDNs) and caching mechanisms.

Ledger acknowledged the risks faced by the entire industry in safeguarding users and emphasized the need to continually raise the bar for security in dApps. 

The company plans to strengthen its access controls, conduct audits of internal and external tools, reinforce code signing, and improve infrastructure monitoring and alerting systems. 

Additionally, Ledger will educate users on the importance of Clear Signing and the potential risks associated with blind signing transactions without a secure display.

Notably, with Clear Signing, users are presented with a clear and readable representation of the transaction details, enabling them to review and validate the transaction before providing their signature. 

This added layer of transparency and verification helps users mitigate the risks associated with front-end attacks or malicious code injected into decentralized applications

Ledger

Featured image from Shutterstock, chart from TradingView.com

Posted on

Crypto.com Restores Withdrawals After Reportedly Losing $15m To Hackers

Crypto.com, the popular cryptocurrency exchange platform, halted all deposits and withdrawals on Monday, January 11, citing “unauthorized activity” on some accounts. It has, however, reinstated some accounts and withdrawal services, noting that the accounts are now safe.

News From Yesterday

According to security and data analytics firm PeckShield, Crypto.com has been the latest target of a cyberattack, with about $15 million worth of cryptocurrency stolen. At least 4,600 Ether has been taken from some of the exchange’s accounts.

Crypto.com issued a tweet informing users that a number of users have reported suspicious behavior on their accounts. Withdrawals will be temporarily halted as their staff investigates the situation. All of the monies are safe, according to the message.

We have a small number of users reporting suspicious activity on their accounts.

We will be pausing withdrawals shortly, as our team is investigating. All funds are safe.

— Crypto.com (@cryptocom) January 17, 2022

Dogecoin (DOGE) founder Billy Markus spotted a strange transaction pattern on Etherscan, leading the firm to suspend all transactions until it can figure out what’s wrong with their platform.

Several users reported on social media that their tens of thousands of dollars worth of digital assets had vanished from the exchange.

I really hope @cryptocom gets their shit together. Because a lot of theft is going on and if you check https://t.co/tO1rPRGTgC from the cryptocom wallet address. You’ll see a bunch of 2ETH to 5ETH transactions being sent to wallets with single transactions. How did it bypass 2FA?

— BEN BALLER™ (@BENBALLER) January 17, 2022

Ben Baller, a cryptocurrency enthusiast and jeweller, claimed that his account had been hacked and that he had lost 4.28 Ether (ETH) (about $15,000). He also said he used two-factor authentication, meaning that the suspected criminals had to get around some of Crypto.com’s security measures.

BTC/USD yet to break psychological barrier. Source: TradingView

Tornado Cash was used to move the funds, making it harder to track. Technical glitches on cryptocurrency trading platforms have been increasingly widespread in recent months. Even some of the most prominent crypto exchanges have experienced significant disruptions during peak period.

Related article | Sports NFT Marketplace Lympo Suffers An $18.7 Million Hack

Crypto.com Lost $15 Million To The Hack

Although Crypto.com claims that the accounts are safe, Peckshield, a blockchain security and data analytics firm, claims that the exchange has lost a whopping $15 million in the recent theft, or at least 4,600 ETH.

The @cryptocom loss is about $15M with at least 4.6K ETHs and half of them are currently being washed via @TornadoCash https://t.co/PUl6IrB3cp https://t.co/6SVKvk8PLf pic.twitter.com/XN9nmT857j

— PeckShield Inc. (@peckshield) January 18, 2022

CEO Kris Marszalek stated on Twitter that no customer funds had been lost. In reaction to the event, the Crypto.com team reinforced the exchange’s security infrastructure, he noted. The security incident is currently being investigated internally at the exchange.

Some thoughts from me on the last 24 hours:

– no customer funds were lost – the downtime of withdrawal infra was ~14 hours – our team has hardened the infrastructure in response to the incident

We will share a full post mortem after the internal investigation is completed.

— Kris | Crypto.com (@Kris_HK) January 18, 2022

After hours of waiting, Crypto.com tweeted that security on all accounts is being increased out of an abundance of caution, asking users to sign in to their App & Exchange accounts and Reset their 2FA. They also stated that this update will be gradually given out to users over the next few hours. Withdrawals will be re-enabled once this process is completed. They stated that they recognize that this may be inconvenient for users, but that security comes first.

With over 10 million customers, Crypto.com is one of the most popular trading platforms in the United States. We’d like Crypto.com to provide us with more information about this.

Related article | Largest DeFi Hack Yet? BadgerDAO Hack Results In Loss Of $120M+