ReadHistory

Ledger Connect Kit hack

A December 2023 software supply-chain attack: a phished former Ledger employee's npm key let attackers publish malicious versions of Ledger's widely used 'Connect Kit' library, injecting the Angel Drainer into many dApps. About $500K–$600K was drained in a few hours before a fix shipped.

Also known as: Ledger Connect Kit, Ledger Connect Kit hack, @ledgerhq/connect-kit

Summary

On December 14, 2023, attackers compromised the npm publishing credentials of a former Ledger employee (via phishing) and published malicious versions (1.1.5–1.1.7) of Ledger's "Connect Kit," a JavaScript library used by hundreds of decentralized apps to connect wallets. Because many sites loaded the library from a CDN at runtime, the malicious code propagated automatically. ^[1]^[2]

Impact

The injected code carried the Angel Drainer payload, prompting users of affected dApps to sign transactions that drained their wallets; proceeds were split ~85% to the attacker and ~15% to Angel Drainer. Active draining lasted roughly two hours (about five hours total exposure), with losses estimated around $500,000–$600,000 before Ledger shipped a clean version (1.1.8) and coordinated with Tether to freeze some funds. The incident underscored supply-chain risk in widely shared web3 dependencies. ^[1]^[2]

Bracketed numbers refer to the numbered sources listed below.

People & entities involved

Angel DrainerDrainer used in the attackOrganizations & groupsA wallet-drainer-as-a-service operation (≈85/15 affiliate/developer split) specialized in EVM chains. Most notably, Angel Drainer malware was used in the December 2023 Ledger Connect Kit supply-chain attack, which drained roughly $500K–$600K from DeFi users in a few hours.

Sources (2)

Security Incident Report (Ledger Connect Kit / Angel Drainer) — Ledger
How the Ledger hacker used 'drainer-as-a-service' to swipe $600k — DL News