Investigating the Ledger Connect Kit Incident: Uppsala Security’s Analysis of Stolen Fund Transactions

At Uppsala Security, we have developed a robust suite of cybersecurity tools specifically designed for the Web3 environment. These tools are exclusively tailored for Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. Our team of seasoned security experts is committed to meticulously investigating prominent hacks, scams, and other malicious activities within the Web3 ecosystem. Our mission is to enhance the safety and integrity of this rapidly evolving space. By identifying and apprehending malicious actors, we facilitate a smoother adoption path for innovative decentralized technologies, contributing to a more secure and trustworthy digital future.

On December 14th 2023, the Ledger Connect Kit experienced an exploit that shooked the worldwide crypto community. However, the issue has since then been resolved.

The breach began when a phishing attack deceived a former Ledger employee, leading to the unauthorized upload and distribution of compromised versions of the Ledger Connect Kit. This malicious software was specifically engineered to divert user funds to an attacker-controlled wallet, identified as 0x658729879fca881d9526480b82ae00efc54b5c2d.

The aftermath of this security breach saw the attacker’s wallet amass approximately $250,000 USD in various tokens. The bulk of these were stETH (34.8 units, valued at around $78,000 USD), USDC (60,340 units), and USDT (27,000 units). Additionally, the hacker acquired about 7 ETH and transferred numerous tokens to another wallet under their control, marked as 0x1b9f9964A073401a8BC24f64491516970bB84E47. Here, a significant portion of the tokens, including 34.8989 stETH and 60,000 USDC, were swiftly exchanged for ETH, totaling 34.5841 and 26.1515 ETH respectively. The hacker also gained possession of 50 diverse NFTs, all of which remain in the aforementioned wallet.

Further investigations revealed additional wallets potentially linked to the hacker: 0x412f10AAd96fD78da6736387e2C84931Ac20313f, which is suspected to be connected with the Ledger phishing attack, as well as 0xd41138112Ace58D87Db07e4B5ED61740A6cBA6EB and 0x634984866301511696AC3fdC41Fa4700e11609CE, associated with a ChangeNOW user account. Currently, the majority of the stolen funds are held in wallets 0x1b9f9964A073401a8BC24f64491516970bB84E47 and 0x658729879fca881d9526480b82ae00efc54b5c2d.

Uppsala Security’s Crypto Analysis Transaction Visualization (CATV) tool stands out as one of our most effective transaction tracking solutions available in the decentralized space. It has played a crucial role in several rigorous investigations, aiding victims in successfully recovering their lost funds. Earlier this year, the CATV tool also proved instrumental in an investigation conducted in collaboration with INTERPOL.

The CATV tool was also used by our investigative team for this specific incident, and the graph visualizes the transaction flow from the wallet address 0x658729879fca881d9526480b82ae00efc54b5c2d to the ChangeNOW Exchange.

Image captured from the Crypto Analysis Transaction Visualization (CATV) Dashboard.

Ledger Connect Kit Incident — Fund distribution

1. Wallet Address 1: 0x658729879fCa881D9526480B82aE00EFc54B5c2d (Annotation: Ledger Exploiter)

Estimated Funds held:

• 340.2671 USDC
• 27,011.00319 USDT
• 522,338.2018 GALA
• 311,922.3308 TOKEN
• 31,553.66706 MUBI
• 0.152605 aEthWBTC
• 47,881.85104 0x0
• 28,0013.6813 BEAM
• 1,715,952,879 PLEB
• 21,679.44229 PAAL
• 1.17132 ETHx
• 1,818,442,420 PEPE
• 43,496.21023 DINO
• 4,753.199999 RARE
• 255,641.9237 DOG
• 2,539,115.608 RACA
• 0.174921 swETH
• 484.463348 BONE
• 4,250,000,000 CAW
• 784,268.8768 NPC
• 11.642887 aLINK
• 18.7 AXS
• 1,386.407018 PEAR
• 85.00114 RSC
• 0.17 AAVE
• 369,698,608 PEPE2
• 8,500.130745 VEIL

2. Wallet Address 2: 0x1b9f9964A073401a8BC24f64491516970bB84E47 (Annotation: Ledger Exploiter 2 / Fake_Phishing268838)

• 63.4746 ETH
• 2.764925 WETH
• 24.547777 ILV
• 454.280584 RNDR
• 22,095.6233 CHZ
• 59,844,773.41 SHIB
• 51.631267 ENS

3. Wallet Address 3: 0x077D360f11D220E4d5D831430c81C26c9be7C4A4 (Annotation: ChangeNOW, Exchange)

• 0.008008 ETH

Our investigative team remains vigilant in monitoring the wallets implicated in the Ledger Connect Kit incident. This is made more efficient with our proprietary tool, which automatically sends alerts when assets are transferred. Known as the Crypto Asset Monitoring Service (CAMS), this state-of-the-art product enables real-time surveillance and provides advanced functionality for overseeing cases involving digital assets.

We welcome anyone seeking assistance with investigations, including the Ledger Connect Kit incident, to contact us at any time. Please feel free to reach out to us at info@uppsalasecurity.com for support or inquiries.

About Uppsala Security

Uppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.

Disclaimer: This article is meant for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult professionals directly.