back to article Hundreds of thousands of dollars in crypto stolen after Ledger code poisoned

Cryptocurrency wallet maker Ledger says someone slipped malicious code into one of its JavaScript libraries to steal more than half a million dollars from victims. The library in question is Connect Kit, which allows DApps – decentralized software applications – to connect to and use people's Ledger hardware wallets. Pascal …

  1. David 132 Silver badge

    Dog bites man, water is wet, cryptocurrency operation is "hacked"

    Crypto "investors" got hacked and lost money?

    Oh no!

    Anyway. Here's James with news about the Dacia Sandero.

    1. David 132 Silver badge

      Re: Dog bites man, water is wet, cryptocurrency operation is "hacked"

      Ha, found the butthurt crypto investor.

      1. chuckufarley Silver badge

        Re: Dog bites man, water is wet, cryptocurrency operation is "hacked"

        Wait, I think you found more than one.

      2. Jaybus

        Re: Dog bites man, water is wet, cryptocurrency operation is "hacked"

        I don't know if I would call it butthurt. A bit uncomfortable maybe....at first.....but they'll come back for more.

    2. Benegesserict Cumbersomberbatch Silver badge

      Re: Dog bites man, water is wet, cryptocurrency operation is "hacked"

      Authorities, he claims, have been notified.

      These would be the authorities which, according to the dogma, don't exist in DeFi-land.

  2. Snowy Silver badge
    Joke

    Somethings very phishie

    Pascal Gauthier, CEO of Ledger, in a public post said a former employee had been duped by a phishing attack, which allowed an unauthorized party to upload a malicious file to the company's NPM registry account.

    Is a brown envelop full of money considered to be a phishing attack now?

    1. Snowy Silver badge
      Facepalm

      Re: Somethings very phishie

      Someone not seeing the joke?

      1. Throatwarbler Mangrove Silver badge
        Angel

        Re: Somethings very phishie

        Butthurt crypto bro.

        1. Pascal Monett Silver badge

          Very butthurt, apparently.

          Probably lost some funny money there. Maybe even real money.

  3. MachDiamond Silver badge

    I'm sorry, what was that?

    How exactly (in excruciating detail) is crypto better than cash? I am, of course, talking about transactions not involving any sort of contra-ban or bribery. I have money in a bank account insured by a government agency. I have precious metals and some gems. I have some art and I have banknotes. I don't have a penchant for drugs, firearms or have enough money for a down payment on a honest politician (one that stays bought). I suppose that the fees could be less painful when trying to take money across borders in large amounts, but I've done that before in creative ways aside from a suitcase full of cash.

    Many people seem to be rushing into crypto under the impression that it will be an easy way to make a pile of easy money. Easy is the operative word. The truth is that the bottom levels of the pyramid where money can be made have already been filled up and those above that point are taking a huge risk somebody can be found willing to give them more per coin before the music stops and it's discovered that there are far fewer chairs than one was lead to believe.

    It's at the point where the aren't many common expenses that aren't already exposed to government prying. Rents, mortgages, utilities, insurance, loan payments are all either keep track of through registration, licensing and taxes or easily subpoenaed. What's left are actually the important things that can be paid with cash that will say more about you than you own a car and live in a home.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm sorry, what was that?

      You lost me at "contra-ban"... It's "contraband".

      1. chuckufarley Silver badge

        Re: I'm sorry, what was that?

        I thought it was Iran-Contra. Or did that government sponsored scam not get rebranded a few times since Good Ole Ollie was on TV every day?

    2. Anonymous Coward
      Boffin

      Re: I'm sorry, what was that?

      "How exactly (in excruciating detail) is crypto better than cash? .. Many people seem to be rushing into crypto under the impression that it will be an easy way to make a pile of easy money."

      Crypto is a ponzi scam where the value of the bitcoins go up as long as there are new mugs to “invest” in it.

      1. Anonymous Coward
        Anonymous Coward

        Re: I'm sorry, what was that?

        That's a pyramid scheme. A Ponzi scheme is where profits are fraudulently reported to the investor. Not to say a Ponzi scheme is impossible but it would be more like an exchange issuing their own tokens with a given value and return, then welching when an investor tries to exchange them back.

      2. Azamino

        Re: I'm sorry, what was that?

        Number Go Up, heh heh ...

    3. Anonymous Coward
      Anonymous Coward

      Re: I'm sorry, what was that?

      Theoretically (to answer your question), if cryptocurrencies were widely used and you were fleeing a despotic government you could walk across the border with your keys memorised or steganographically hidden (e.g. a pattern of threads sewn into your clothing). There's no way of objectively proving you are in possession of the keys to a given wallet (especially if the balance is transferred to one that you have never provably paid out of) so no amount of frisking is going to reveal anything that's provable.

      1. Phil O'Sophical Silver badge

        Re: I'm sorry, what was that?

        Since when did despotic governments require anything as inconvenient as proof?

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm sorry, what was that?

          I don't propose it as an absolute protection from harm against despotic governments, it would just cut into the bottom line of what they could profitably seize. Also, if they tried to beat keys out of everyone fleeing, their arms would get tired.

        2. Ian Johnston Silver badge

          Re: I'm sorry, what was that?

          Five dollar wrench?

      2. Anonymous Coward
        Anonymous Coward

        Re: I'm sorry, what was that?

        And your millions of dollars (ho ho ho) of crypto money will still be worth nothing when you reach your destination, because it has no intrinsic value unless you can sell it to a bigger fool...

        Unless you can get that crypto government backed, that is. Digital pound or dollar anyone? (I hope not....)

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm sorry, what was that?

          As I said, "widely used". It would be unlikely that exchanges could take place by the time any despotic government has decided to seize the assets of anyone fleeing their tyranny if the standard there were fiat.

          A CBDC wouldn't really work in that scenario because the same government could just press a button and, with great speed and reach, implement some horrifyingly effective restrictions that coerce into not even opposing them. Ironically, I think this is precisely why so many governments are rushing to embrace them

          I'm personally more annoyed by the speculators than the average basic crypto hater because the principle would get a bit of power back in the hands of the people. I'd say they're actually a lot more akin to gold and diamonds in the sense that, while there are practical applications, the price is pumped up by their use as an investment (which they shouldn't be used as).

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm sorry, what was that?

            A despotic government deciding to push that button would at the same time likely destroy its own economy, scaring investors away real quick.

            Also, I'm not sure they need more control than what current crapcoins give them. Anonymous yes, but with public ledgers, once a government knows who owns a wallet, they already know every transactions it does.

            And of course, the biggest Bitcoin owner is an unknown entity, then there is the US government. That gives them a lot of control on its value.

        2. MachDiamond Silver badge

          Re: I'm sorry, what was that?

          "Digital pound or dollar anyone? (I hope not....)"

          I'd not want to participate in those either. It's those cash purchases that I mentioned above where a Three Letter Agency can really get to know you. If all of your day to day purchases are computerized, it just makes it easier to build a detailed file about you since computers can spot the patterns and spit out matches rather than trained humans pouring over endless minutia.

          1. Catkin Silver badge
            Trollface

            Re: I'm sorry, what was that?

            Sounds like you have something to hide

            1. JulieM Silver badge

              Re: I'm sorry, what was that?

              She said, over HTTPS .....

            2. MachDiamond Silver badge

              Re: I'm sorry, what was that?

              "Sounds like you have something to hide"

              Anybody that doesn't have anything to hide may find out they do.

        3. Snake Silver badge

          Re: I'm sorry, what was that?

          "And your millions of dollars (ho ho ho) of crypto money will still be worth nothing when you reach your destination, because it has no intrinsic value unless you can sell it to a bigger fool..."

          And, *finally*, there's the truth for the incredibly paranoid yet naive doomsday preppers. They tell people to "invest in gold!" for the end days - as if, if society does indeed completely collapse one day, a person with some (now limited) stores of some important life-sustaining materials will find your gold somehow...more worthwhile. They'll almost certainly trade with you for gold in the early days of the New Order...but when things get tough, nobody wants a stupid piece of shiny metal that you can't eat, drink, or use to power some very important life-improving device

          But, like crytpo itself, when there is no government - when foxes rule the henhouse - the world somehow just works great, right?

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm sorry, what was that?

            reminds me of part of Das Kapital

            "the coat seems to be endowed with its equivalent form, its property of being directly exchangeable, just as much by Nature as it is endowed with the property of being heavy, or the capacity to keep us warm. Hence the enigmatical character of the equivalent form which escapes the notice of the bourgeois political economist, until this form, completely developed, confronts him in the shape of money. He then seeks to explain away the mystical character of gold and silver, by substituting for them less dazzling commodities"

          2. JulieM Silver badge
            Coat

            Re: I'm sorry, what was that?

            I always wondered how useful gold might actually be in an "end of the world" scenario. It sounds like the sort of thing thieves would leave behind if there was food, water, fuel, batteries or similar for the taking.

            Now, If I wanted something that would have genuine value as a medium of exchange in an actual zombie apocalypse or similar situation, I think I would just fill a few 210 litre drums with as many Benson and Hedges as I could get, flush them out with nitrogen and bury them in a few different places.

            Mine's the heavy one with big internal pockets .....

      3. MachDiamond Silver badge

        Re: I'm sorry, what was that?

        "if cryptocurrencies were widely used and you were fleeing a despotic government you could walk across the border with your keys memorised or steganographically hidden"

        That is way off to one side of the graph. Not impossible, but it might be improbable that somebody with enough money to diddle with crypto would have enough of anything to hide when crossing a border. That would also be crossing a border at a formal crossing.

        Sewing a pattern in your clothes would be really extreme. A microSD card is very easy to hide and a simple RFID is even easier.

        1. TeeCee Gold badge

          Re: I'm sorry, what was that?

          More to the point, you're not fleeing anything if you've been able to go to the trouble of squirreling away your wordly assets in a portable format first.

          Real refugees have the clothes on their backs, if they're lucky.

          1. Anonymous Coward
            Anonymous Coward

            Re: I'm sorry, what was that?

            "real refugees"? I'm not sure if you're merely unfamiliar with history or if you're handwaving away the plight of the fleeing oppressed as 'fake' refugees.

      4. Anonymous Coward
        Anonymous Coward

        Re: I'm sorry, what was that?

        "Theoretically (to answer your question), if cryptocurrencies were widely used and you were fleeing a despotic government you could walk across the border with your keys memorised or steganographically hidden (e.g. a pattern of threads sewn into your clothing). There's no way of objectively proving you are in possession of the keys to a given wallet (especially if the balance is transferred to one that you have never provably paid out of) so no amount of frisking is going to reveal anything that's provable."

        Amazing, a perfect example of why and how crypto is such a excellent vehicle for criminals and terrorists.

        1. Anonymous Coward
          Anonymous Coward

          Re: I'm sorry, what was that?

          Should we please think of the children too? In any case, for criminals and terrorists, cash is still king, according to law enforcement. Not that I'm suggesting banning cash on that basis; or that the oppressed pour their money into crypto, the above was an answer to a question of why it might be useful, not what should be done at the current time.

          1. MachDiamond Silver badge

            Re: I'm sorry, what was that?

            "In any case, for criminals and terrorists, cash is still king,"

            It's a problem too. If you watch some of the border patrol TV shows, large sums of cash are sought and they even have dogs trained to sniff out banknotes. This makes crypto something like Western Union without the oversight as a convenient way to move large sums of money from country to country. It's a good argument for governments to keep cash around as moving it, even in large denomination notes, is cumbersome in large amounts. One million US is 10kgs and fits in a large carry-on. Gold is 22-23kgs but much more compact. The downside with Gold is it's hard to transact in large quantities without going off-grid and accepting a heavy discount from spot. Wheat, no the other hand, might be a good way to transfer money if it's transported from one country to another. You lose the shipping cost, but then again, you could also make money while at the same time moving value from place to place.

    4. JulieM Silver badge

      Re: I'm sorry, what was that?

      It isn't.

      The idea is that in order to make an investment, instead of delivering the money to the bank as you would in the traditional scenario, you basically set fire to it on camera; thus proving that (1) you used to have it once and (2) you don't have it anymore. And then the bank match the amount with some brand new notes.

      Only ..... these new banknotes might not be welcome everywhere you go shopping.

      But, hey, that's not really a problem, is it? It's If you really want to exchange your cryptocurrency notes for old-fashioned pounds, Euros, dollars or whatever else is accepted everywhere locally without question, all you have to do is find somebody else who wants to buy in; stop them before they strike the match; and exchange their old notes for some of your new ones. The job's a good 'un!

      Unless, of course, the (finite and diminishing) supply of new investors becomes exhausted before cryptocurrencies become widely-enough accepted .....

  4. Anonymous Coward
    Anonymous Coward

    Wow

    Are people still falling for this crypto Ponzi?

  5. chuckufarley Silver badge

    Who is the greater fool?

    The one who trades in crypto or the one that tries to build a crypto wallet with javascript?

    1. zuckzuckgo

      Re: Who is the greater fool?

      I would think the one who uses the crypto wallet with javascript.

    2. Alumoi Silver badge

      Re: Who is the greater fool?

      Yes.

  6. Pascal Monett Silver badge
    Trollface

    "someone slipped malicious code into one of its JavaScript libraries"

    Thank $Deity that there are still courageous warriors to stick it to The Man. Of course, mishaps will happen, but it is worth it to avoid the Eye of Sauron government.

    Instead, you're exposed to the eye of every hacker in the world and, since you don't have the required experience, you get hacked.

    Unlike actual banks.

    But hey, you keep fighting the fight. Whatever.

  7. Persona Silver badge

    Next steps

    Crypto hacks are routine enough to not be news worthy. The interesting bit here is that the Tether account associated with the attackers blockchain address has been frozen. This makes it harder for the attacker to turn the stolen crypto into spendable money. I'm wondering if Ledger will block all transactions to the address meaning that the attacker will get nothing. It's also possible that Tether transactions will reveal a real world bank account that can be linked to the perp and be used by the police to bring a prosecution.

    Good stuff but it will also nullify all that guff we hear about crypto transactions being anonymous and free from state or indeed any central control.

    1. MachDiamond Silver badge

      Re: Next steps

      "Good stuff but it will also nullify all that guff we hear about crypto transactions being anonymous and free from state or indeed any central control."

      The sorts of transactions you would want to hide that would make crypto the medium of choice will be automatically flagged as suspicious. If you make a large transaction using crypto for something like a car or land, the tax authority is going to want a chat about where the money came from and that they've carved out and been paid what they think would be due on that money. If you can't provide a good paper trail on that money, there will be a reckoning. That's the problem with big transactions, they're usually for something that is registered or licensed if they're legit. You could buy tonnes of wheat for delivery somewhere, but what would be the reason for using crypto?

      A number of people that were duped by SBF (strange family name since his parents never married) have been screaming for more regulation. I have yet to see the media interview somebody that is just shrugging and saying it was the chance they took and nothing should change.

      1. veti Silver badge

        Re: Next steps

        Lots of people do shrug and say nothing should change. (I don't know if they do on this subject, specifically, but it happens on most topics, so it's likely.)

        But the media don't publish those interviews. They're just not very interesting to watch, or to talk or speculate about. No, the published interviews - again, across every media topic - are all on the spectrum of "something must be done" to "the sky is falling".

  8. froggreatest

    npm supply chain security

    I have thought npm integrated with Google’s SLSA, but nothing came out of it? No added security? Also, the version pinning issue seems ridiculous, npm supports it and there is a way to lock specific versions for each dependency, the slippery details of this misfortune need to be cleared.

    Smells of cowboy stuff, I hope the lawsuits will trigger others to be “a bit” more careful.

    1. Blank Reg

      Re: npm supply chain security

      They certainly need to do something about security. Just go and build a very basic node app and you'll have 1000's of dependencies before you even get started. And you have to trust them all since you have no way of testing them all for malicious code

    2. Anonymous Coward
      Anonymous Coward

      Re: npm supply chain security

      If the phishing attack enabled a full version release, and maybe even labeled as an important security update, and the company was diligent in checking releases, ...

  9. Anonymous Coward
    Anonymous Coward

    Language based package managers are synonymous with low quality software.

    Carelessly dragging in deps from NPM/crates.io is one of the worst aspect of Javascript/Rust developers. Admittedly I also avoid solutions pulling in crap from CPAN/PIP too.

    Just do a proper job. Limit the dependencies to a reasonable amount of meaningful ones and manage versions responsibly rather than just hammering the "NEWER!" button like a little fat child.

  10. BartyFartsLast Silver badge

    Only $610,000?

    I mean, bro, have you even really been hacked if it's less that $100mil?

    The old adage about a fool and his money comes to mind every time I hear about someone getting scammed, hacked, rug pulled etc. etc.

    And I still don't get what they're crying about or why they think they can go to 'the authorities' because code is law which means losing the money they didn't want under gubbermint control to a bit of code that's a wallet drainer is just part of the Ponzi scam they signed up for and agreed to surely?

    1. MachDiamond Silver badge

      Re: Only $610,000?

      "The old adage about a fool and his money comes to mind every time I hear about someone getting scammed, hacked, rug pulled etc. etc."

      I think many people are looking for easy money and haven't yet learned that 'easy' and 'low-risk' are on opposite sides of the graph. Any investment worth getting into is not going to be simple. It will take some knowledge and skill to make a proper evaluation of the risks and rewards.

      Plain old currency speculation at least has the benefit of historical records that are based on something real. If you use Euros to buy US Dollars thinking the Dollar will go up, even if you jump wrong, the Dollar will still have value. It's not going to evaporate leaving behind a news story about somebody missing and believed to currently be in a country with no extradition treaties with any other country.

  11. Blackjack Silver badge

    What gets stolen more, actual money or crypto?

    1. MrGreen

      Money by a long way

      The share of all cryptocurrency activity associated with illicit activity in 2022 was 0.24% of all transactions ($20 billion).

      Approximately $4 trillion in fiat is laundered through traditional financial institutions each year. 4% of global GDP.

      If you want to add dirty money from corruption and bribery then that’s an additional $3.6 billion in fiat.

      1. druck Silver badge

        Re: Money by a long way

        Is that right Mr Cryptoschill?

        Perhaps you would like to give us the proportion of ransomware and other internet extortion rackets that demand payment in crypto currency.

        1. Blackjack Silver badge

          Re: Money by a long way

          https://web3isgoinggreat.com/

  12. A Non e-mouse Silver badge
    FAIL

    I remember the original aims of crypto currency was that they were decentralised and were not controlled by (evil) governments,

    Yet, here we are and someone's account has been frozen and authorities have been informed.

    I see the original aims are progressing well.

  13. TeeCee Gold badge
    Facepalm

    Revoke.cash, a service for revoking certain crypto transactions...

    Shame they obviously can't revoke the ones they really need to like, to pull an example out of thin air, if someone nabs 850 big ones off them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like