A ledger security vulnerability caused Abject chaos with daps so let's break Down everything that Happened good morning you're listening To the rise and crypto podcast by coin Telegraph with me Robert bags steering You through the crypto Cosmos with daily Dispatches from the digital Frontier if You want to be in the know in all the Major stories in crypto make sure you Click that follow button so grab Yourself a coffee and let's get into It today's episode is going to to be Ledger Heavy after yesterday's craziness But here is what's on the docket major Daps such as Sushi Swap and Phantom were Compromised due to a ledger security Breach over $300 million in stolen Crypto was sent to bitcoin mixers in 2023 and Noles Click app wants to end Fake news using Blockchain I know I usually cover five Or six stories per episode but this First story is Major news and I wanted To unpack it carefully and fully right Here we go so yesterday there was a Major security issue involving one of The most trusted and renowned Hardware Wallet manufacturers Ledger I will be Referencing the work of Z Sun prant jar And Derek Anderson whose articles are Linked in the show notes as well as Several crypto sleuths and cyber Security Experts all of these resources
Were created throughout the day Yesterday as it was unfolding Ledger has Published a timeline of the events so Let's start there it's pretty detailed And Technical in places so I'll link to The Tweet but here is my simplified ined Synopsis yesterday morning Central European Time a former Ledger employee Was the victim of a fishing attack and The attacker gained access to their Npmjs account this is basically a Library of JavaScript code that ledger Uses the attacker used this account to Publish a malicious version of The Ledger connect kit Ledger connect is a Library used by many daps and maintained By Ledger the sliver of malicious code Added would re-root funds from signed Transactions on these daps to the Wallets Ledger teams were alerted and After the compromised version of Ledger Connect had been live for around 4 hours They fixed it in around 40 minutes so From hack to publishing to fix was less Than 5 hours but Ledger believes the Period where the hacker could drain Funds was only around 2 hours Ledger Coordinated with the communications Protocol wallet connect and the Rogue Project was disabled the new safe Version of The Ledger connect kit was Live by late yesterday afternoon C and The safe versions start from version 1.1.8 1.1.5 1.1.6 and 1.1.7 were all
Affected so developers need to ensure to Update to the latest version the Hacker's wallet address was made visible On chainalysis and tether has frozen the Hacker's usdt so that was the timeline From hack and detection through to a Complete fix just after that I spoke to Z Sun who had been following the story As it happened yeah so it's only been a Few hours after the incident um but Right now now it's clear that the Incident has already wrapped up and that Uh losses are rather limited uh The Ledger wallet itself was also unaffected Uh only Ledger connect that said however Uh users who signed onto various staps And smart contracts using Ledger connect Uh were negatively impacted and with Technology becoming more complex it's Getting harder and harder for users to Understand what contracts they are Actually signing these days so yes the Hack was pretty well contained and it Could have been far worse but there were Consequences and people definitely have Questions the crypto sluth and regular Of the show Zack xbt originally Estimated that the hacker managed to Drain around $610,000 though a later Investigation by look on chain put the Number at closer to $484,000 look on chain showed that Around 56% of the stolen funds was in Ethereum about 4334 eth I'd say this is
Unlikely to be the final number as the Inquiry is ongoing this is of course a Ton of money but why wasn't it more I Know that's only a question you could Ask in crypto right someone makes off With half a million in 2 hours and we're Saying few but the hack affected some of The biggest daps such as Zappa Sushi Swap Phantom balancer and revoke docash So it could have been utterly Devastating as it was unfolding Ledger Warned if there's a difference between The screen shown on your Ledger device And on your computer or phone screen Stop that transaction action immediately This is because as Ledger says the Information on Ledger's screen is the Only one that is definitely genuine but Why are we talking about transactions Here well the transaction side is Important and it was a gate that stopped The hacker from stealing an amount Equivalent to the GDP of a small nation That is you had to sign a transaction to Have been affected Ido Ben naton Co-founder and CEO of blockade told coin Telegraph as this was happening Ledger Users are not at risk if not transacting It is not exploitable on prior approvals Revoke docash specifically is affected So don't interact with it the numbers of Impacted funds is hundreds of thousands Of dollars over the past two hours many Websites are still affected and users
Are getting hit there were lots of Questions being asked about this hack And there still are but there is a Recurring one that I think deserves Highlighting here's the best example of That question that I've seen on X crypto Longhorn wrote company that secures Billions of dollars yet doesn't stop Former employees from having access Which is one of the most basic security Procedures The Ledger CEO Pascal gotier Addressed this writing the standard Practice at Ledger is that no single Person can deploy code without review by Multiple parties we have strong access Controls internal reviews and code multi Signatures when it comes to most parts Of our development this is the case in 99% of our internal systems any employee Who leaves the company has their access Revoked from every Ledger system goer Went on to add that this was an Unfortunate isolated incident and that Ledger is working to improve their Systems so there's no satisfactory Answer yet on how an X employee getting Hacked caused so many problems for Ledger but I think we can allow the dust To settle before we expect one in one Final related only in crypto kind of Observation several of the comments on Threads about this hack including Ledger's own timeline tweets are Accounts pretending to be Ledger called
At Leda and so on and they're offering Reimbursement if you were affected by The hack but you have to click a link Which is clearly fishing it's just Insanity anyway that is you caught up With The Ledger debacle so far it seems Everything is secure again but should a Major development occur we'll keep you Updated while we're discussing hacks Ezra regera covered a really interesting Topic yesterday and it's a little less Heavy Than The Ledger incident this Topic is mixers mixers or to be more Specific decentralized cryptocurrency Mixers in this case are places where People can launder crypto essentially You put your stolen crypto in it gets Privately jumbled up with all other Funds and then you draw down the amount You want basically this allows you to Send the stolen funds to a new wallet And it obscures the transactions and Makes tracing These funds from hacks Tremendously difficult for a long time There was a go-to mixer and it was Called Tornado cache however it was Sanctioned by the United States Treasury Department's office of foreign assets Control ofac in 2022 according to ofac Over $7 billion in crypto assets has Been laundered on tornado cash since 2019 while the blockchain security firm Certic investigated where well over $300 Million from the 50 largest exploits of
2023 went it seems that ofac has scared Hackers away from tornado cash although $108 million in stolen funds did end up In that mixer the rest either went to Bitcoin mixers stayed in the exploiter Wallet or was moved in other ways Joe Green certic Quick Response Team head to Coin Telegraph the Bitcoin ecosystem Hosts a variety of privacy mixers that Serve both privacy conscious users and Those with nefarious intentions while This scenario presents a challenge it's Important to recognize it as an Intrinsic aspect of decentralized Systems Ezra looked into CK's research On bitcoin mixers and why they might be Preferred to tornado cache he said with Mixers like tornado cache the mixer Obfuscates the link between the sender And the receiver however the user can Only withdraw the same amount they Inserted into a new wallet minus a fee On the other hand Bitcoin mixers allow Users to deposit Bitcoin and distribute It across multiple wallets in different Percentages which further complicates Tracking this is such an interesting and Complex problem for crypto and we see it In various areas that is how much Decentralization and anonymity is truly Viable recently I had a call with a Friend of mine who although they Wouldn't admit it is one of the most Important builders in modern crypto and
Web 3 this person and I were discussing Uses for blockchain and we fell onto a Topic that is important to me journalism And content creation I mentioned that Over time and by carefully engineering Prompts I have already figured out how To make AI articles that are almost Indistinguishable from a real person's Work so within a year I expect two Things to happen firstly everyone and Their mother will be able to do what I'm Doing and easily and secondly you simply Won't be able to tell what was created By AI this led into the concern over Fake news and websites pumping out AI Written SEO optimized articles for all Sorts of purposes even furnished with Fake photographs also created by AI if Tech-minded people can't always tell What hope to non- Tey people have for Differentiating between fake and real And this is where we discussed how Blockchain could play a role why am I Telling you this well Gareth jenkinson Covered a story yesterday on exactly This topic the decentralized Infrastructure network provider Nole has Released an app called click which is a Blockchainbased media authentication Tool it isn't yet tackling writing but It is solution for photography and Videography AI image generation is Absurdly realistic already and I have Seen convincing fake photographs for the
War in Gaza needless to say this can be Dangerous with click a person can Capture a photo or video in the app Swipe to sign the content and Authenticate it on the blockchain and Then share the verified file wherever They wish this is potentially a crucial And invaluable use case for blockchain Technology that would extend past photos And videos but that is an excellent Starting point the nodal CEO Miha an Tenna benil said click primarily serves Photographers citizen journalists Reporters law enforcements sports fans Paparazzi and content creators and click Is a member of the content authenticity Initiative Cai which is a project led by Adobe and the Linux Foundation to create A future standard for media attestation As we hopefully move into the next ball Run I think there'll be an increased Focus on utility so click is an app Worth knowing About that was a heavy but that is it For today so consider yourself informed Thank you for listening to the ryzen Crypto podcast by coin Telegraph if You're enjoying these daily updates Please make sure you let us know by Following subscribing or leaving a Review have a great weekend let's do This again [Music] Monday
Coinbase is a popular cryptocurrency exchange. It makes it easy to buy, sell, and exchange cryptocurrencies like Bitcoin. Coinbase also has a brokerage service that makes it easy to buy Bitcoin as easily as buying stocks through an online broker. However, Coinbase can be expensive due to the fees it charges and its poor customer service.