Last Week in Hacks… Ledger, NFT Trader

Last Week in Hacks… Ledger, NFT Trader

The cryptocurrency ecosystem has seen remarkable growth in recent years, attracting widespread attention and investment. However, this surge in popularity has been accompanied by significant security challenges. The last week alone has witnessed a series of alarming hacks and security breaches, shaking the confidence of the crypto community. High-profile attacks on Ledger, NFT Trader, and X accounts have exposed vulnerabilities in digital asset security. These incidents, causing substantial financial losses and data breaches, highlight the pressing need for improved security measures and protocols in the crypto world. Let's check them out:

1. Ledger – Wallet Connect Hack 

The recent Ledger hack, which occurred on December 14, 2023, is a stark reminder of the security challenges in the cryptocurrency world. This sophisticated supply chain attack led to the theft of approximately $484,000 and had a significant impact on the decentralized finance (DeFi) ecosystem.

The incident began with a former Ledger employee falling victim to a phishing attack. The breach allowed attackers to access the employee's NPMJS account, bypassing two-factor authentication using the session token. Once inside, the attackers published a malicious version of the Ledger Connect Kit on NPMJS, a package manager for Javascript. The malicious code employed a rogue WalletConnect project that rerouted assets to the hackers' wallets. 

Within just a few hours of identifying the breach, Ledger's technology and security teams deployed a genuine version of Ledger Connect Kit to counteract the attack. Despite their swift response, the nature of Content Delivery Network (CDN) and caching mechanisms meant that the malicious file remained accessible for a short period afterward, resulting in the loss of user assets.

This hack underlines the potential vulnerabilities in using decentralized applications (dApps). Multiple Ethereum-based applications, including Zapper, SushiSwap, Phantom, Balancer, and Revoke.cash, were compromised due to this breach as they use the same Wallet Connect payload. The attack didn't just target Ledger's infrastructure or the dApps themselves, but rather, it was an exploitation of the CDN where the Connect Kit was replaced with malicious code.

The attack was a well-executed operation by experienced individuals. The phishing technique used was unique in its approach. It focused on the session token rather than credentials, which are commonly targeted in front-end attacks. The malware used was identified as Angel Drainer, a malware service designed to craft malicious transactions that drain wallets when signed.

In response to this incident, Ledger has taken several remedial actions. These include a comprehensive review and audit of all access controls on both internal and external tools and systems used by Ledger. The company is reinforcing its code review, deployment, distribution, and access control policies, including adding external tools to maintenance and off-boarding checks. They have also increased their focus on employee security training and prioritized regular third-party security assessments.

The overall effect on Ledger was primarily on its reputation – as majority of the crypto ecosystem relies on Ledger’s hardware and software to be the final bastion of security, which now has some scratches in its armor.

2. NFT Trader Hack 

The NFT Trader hack occurred on December 16, 2023 and resulted in a loss of nearly $3 million in digital assets. The hackers specifically targeted the platform's old smart contracts and were able to unlawfully transfer multiple high-value non-fungible tokens (NFTs). 

Following the hack, NFT Trader promptly advised users to revoke any delegations linked to two specific addresses involved in the attack, in an effort to prevent further unauthorized access. The theft involved at least 13 Mutant Ape Yacht Club and 37 Bored Apes, as well as select pieces from the VeeFriends and World of Women collections. 

An interesting development in the aftermath of the hack was the involvement of Greg Solano, co-founder of Yuga Labs (creators of the Bored Ape Yacht Club). In an effort to recover the stolen NFTs, Solano offered to pay a 10% ETH bounty demanded by the hacker. This proactive step by a prominent figure in the NFT community was significant, although it raised questions about setting precedents for future cyberattacks and ransom negotiations.

The hacker, in a turn of events, returned some of the stolen NFTs without requiring payment. This included refunding one Bored Ape along with 31 ETH (approximately $70,680) to a specific user. These actions added complexity to the situation and baffled many in the cryptocurrency community.

Despite the hacking incident, the broader NFT market did not experience significant fluctuations. This resilience reflects the collaborative strength within the cryptocurrency community and the importance of maintaining strong security measures in the digital asset space.

It’s important to note that during this issue, Revoke.cash’s front-end was down (because of the earlier Ledger hack), which meant that many folks did not have a reliable place to revoke their approvals. Webacy just announced our native approval management and revoke features, so users were able to revoke their approvals with Webacy. If you’re a Webacy user, you can also scan your wallet for older, potentially compromised approvals to smart contracts and other security risks; so you’re covered if you regularly scan your wallet using our Safety Scoring feature.

3. Crypto Twitter 

Twitter/X also fell prey to a recent scam, cleverly orchestrated using a fake Calendly link, aiming to hijack user accounts. The scam began subtly, with the scammer posing as a reporter reaching out on Twitter. This disguise of professionalism was likely a strategic move to build trust and appear legitimate.

As part of their ruse, the scammer shared what seemed to be a Calendly link, urging users to schedule an interview time. The link cleverly masqueraded as legitimate, displaying a preview from "calendly.com" and leading to a page remarkably similar to the actual Calendly site.

However, the deceit lay in the page's unusual request – it asked users to connect their Twitter accounts to proceed. This was a stark deviation from Calendly's typical functionality, which is to facilitate appointment scheduling without needing such access. The goal of this scam was clear: to gain unauthorized access to Twitter accounts. Once users linked their accounts, scammers could potentially take over and access sensitive information.

The Key to Safety: Webacy's Risk Score

In the crypto world, maintaining security is a continuous process. Again, the NFT Trader incident serves as a reminder that approvals deemed safe at one time can evolve into security risks. This is where regular reviews of wallet approvals become essential. Webacy's Wallet Safety Score and Wallet Watch plays a crucial role in this, offering ongoing monitoring of your wallet's safety levels. Our dashboard alerts you to any changes in the safety status, helping you stay ahead of potential threats. For an added layer of security, we recommend scanning your wallets for vulnerabilities using Webacy's Risk Score. This proactive approach is key to safeguarding your digital assets in a constantly changing environment.