How the Ledger Connect hacker tricked users into making malicious approvals
According to Cyvers, the attacker caused malicious code to be inserted into multiple app user interfaces, allowing the exploiter to fool users into confirming transactions.
The ‘Ledger hacker’ who siphoned away at least $484,000 from multiple Web3 apps on Dec. 14 did so by tricking Web3 users into making malicious token approvals, according to the team behind blockchain security platform Cyvers.
According to public statements made by multiple parties involved, the hack occurred on the morning of Dec. 14. The attacker used a phishing exploit to compromise the computer of a former Ledger employee, gaining access to the employee’s node package manager javascript (NPMJS) account.
When a developer first writes their app, they usually install a connect kit through Node Package Manager (NPM). After creating a build and uploading it to their site, their app will contain the connect kit as part of its code, which will then be downloaded into the user’s browser whenever the user visits the site.