[rdl]

LOL https://twitter.com/Ledger/status/1735326240658100414

FINAL TIMELINE AND UPDATE TO CUSTOMERS:

4:49pm CET:

Ledger Connect Kit genuine version 1.1.8 is being propagated now automatically. We recommend waiting 24 hours until using the Ledger Connect Kit again.

The investigation continues, here is the timeline of what we know about the exploit at this moment:

- This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account. - The attacker published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7). The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet. - Ledger’s technology and security teams were alerted and a fix was deployed within 40 minutes of Ledger becoming aware. The malicious file was live for around 5 hours, however we believe the window where funds were drained was limited to a period of less than two hours. - Ledger coordinated with @WalletConnect who quickly disabled the the rogue project. - The genuine and verified Ledger Connect Kit version 1.1.8 is now propagating and is safe to use. - For builders who are developing and interacting with the Ledger Connect Kit code: connect-kit development team on the NPM project are now read-only and can’t directly push the NPM package for safety reasons. - We have internally rotated the secrets to publish on Ledger’s GitHub. - Developers, please check again that you’re using the latest version, 1.1.8. - Ledger, along with @Walletconnect and our partners, have reported the bad actor’s wallet address. The address is now visible on @chainalysis . @Tether_to has frozen the bad actor’s USDT. - We remind you to always Clear Sign with your Ledger. What you see on the Ledger screen is what you actually sign. If you still need to blind sign, use an additional Ledger mint wallet or parse your transaction manually. - We are actively talking with customers whose funds might have been affected, and working proactively to help those individuals at this time. - We are filing a complaint and working with law enforcement on the investigation to find the attacker. - We’re studying the exploit in order to avoid further attacks. We believe the attacker’s address where the funds were drained is here: 0x658729879fca881d9526480b82ae00efc54b5c2d

Thank you to @WalletConnect , @Tether_io, @Chainalysis , @zachxbt , and the whole community that helped us and continue to help us identify and solve this attack.

Security will always prevail with the help of the whole ecosystem.

[rdl]

1) They are using some phishable auth (SMS? TOTP? password only?) to secure super high value repo? For fuck's sake, they're a HARDWARE KEY VENDOR which also supports U2F/FIDO2 as an app.

2) Former employee has signing/push auth on super high value repo?

3) Single person has signing/push auth on super high value repo?

.com

[cobertos]

> "This morning CET, a former Ledger Employee fell victim to a phishing attack that gained access to their NPMJS account."

Ouch. A _former_ employee had active credentials to phish for.

> "@Tether_to has frozen the bad actor’s USDT."

Wasn't like, >30% of the point of crypto to not allow people to do this sort of high-level/centralized freezing?

[chrisco255]

Tokens are fully programmable, so you can encode whatever logic you want in them, including freezing if you want that functionality. This is mainly done in dollar-backed stable coins.

The base level assets, like ETH and BTC, cannot be frozen like this, although centralized exchanges will often blacklist addresses (and the chain of custody) involved in major exploits.

[mattwilsonn888]

You can have gradations of control. USDT and USDC are centrally managed.

We used to have DAI, which was fully decentralized and over-collatoralized by Ethereum tokens (the native currency of the platform DAI is rooted on) - but the founder mysteriously died as the DAO was taken over and made to begin collateralizing DAI against USDC and USDT, ironically.

It is a shame how far crypto has fallen culturally that this stablecoin business is some niche story. Most people are in it for the money, but many good people are not.

[chrisco255]

I don't think MakerDAO ever integrated USDT as collateral, but they did integrate USDC. It's unfortunate DAI is not fully decentralized, but the best fully decentralized stable coin efforts (like RAI and LUSD) often suffer from a capital efficiency problem.

I think it's fine to have a spectrum of centralized assets and decentralized assets represented as tokens. Blockchains are public, permissionless, ledgers.

[earthboundkid]

There is no possible way that USDT is backed one-to-one. It just isn't. If it were, it would have a simple audit trail that they would publish. They don't because it isn't. It's a scam that will at some point unravel, and everyone will lose their shirts because of "many good people" lol.

[rewtraw]

It's possibly backed greater than 1:1. Tether likely cleaned up their operations over the past few years, but the "Tether Truthers" are still anxious about fraud. Even more transparency is welcome of course.

> Cantor Fitzgerald CEO Howard Lutnick on CNBC:

> "I'm a big fan of this stablecoin called Tether...I hold their treasuries. So I keep their treasuries, and they have a lot of treasuries. They're over $90 billion now, so I'm a big fan of Tether."

https://twitter.com/leomschwartz/status/1734694800019063207 https://tether.to/en/transparency/#usdt

> Tether also reported all time high excess reserves of $2.44 billion.

https://www.theblock.co/post/230241/tether-attestation-repor...

[chrisco255]

They do post audits on the regular: https://tether.to/en/transparency/#reports

[aftbit]

Hold on what? I missed all of this MakerDAO drama. The founder died and now assets are collatoralized by USDT instead of ETH? Looks like at least

Some links I found for further reading:

https://cointelegraph.com/news/makerdao-co-founder-nikolai-m...

https://maker.defiexplore.com/stats

[hanniabu]

> but the founder mysteriously died

Hello CIA

[rdl]

Tether/USDC and other centralized stablecoins are really "their own thing", not "crypto" in the cypherpunk sense.

[matheusmoreira]

That was the point, yes. The whole problem is people reinvented the entire centralized banking system on top of crypto. Stuff like USDT should not even exist, people were supposed to adopt crypto wholesale and only convert to fiat currency to pay taxes until the government caved and allowed paying taxes in crypto.

[tock]

Everyone using fiat backed centralised stablecoins these days like USDT and USDC. Not only do they have blacklists but they can also burn your balance + they are fully upgradeable aka they can add/remove any functionality they want any time :p

The blacklists need to exist as per regulations though.

[bastawhiz]

> Wasn't like, >30% of the point of crypto to not allow people to do this sort of high-level/centralized freezing?

I mean, unlimited Tether can be created or destroyed at the whim of some guy with a big button somewhere. The promise of crypto being the embodiment of true distributed governance went out the window with USDT ages ago.

[orf]

$610k drained: https://twitter.com/zachxbt/status/1735292040986886648

[wslh]

There are at least three type of vulnerabilities here:

1/ Handling the custody of secrets by the company. The attackers first attacked and accessed a former Ledger employee with official Ledger account secrets. This is where secrets were mismanaged since the actual company secrets should never be in the hands of former employees.

2/ The attack could occur on an actual employee so they should employ ways to be protected against this kind of attack.

3/ The use of CDNs should have security measures in place. This is one of the most common attacks nowadays.

[renonce]

So Ledger was able to coordinate with a number of entities to minimize the impact of the attack? Isn’t that directly contrary to crypto’s decentralized design?

If one is to make crypto really decentralized, relying on a small number of authorities for security seems contrary and maybe poisonous to that goal.