Ledger to reimburse victims of the Connect Kit exploit

Written by

Written on Dec 20, 2023

Reading time 2 minutes

Hardware wallet provider Ledger says it will reimburse victims of the $600k exploit involving its Connect Kit.
The reimbursement is expected to be done by February next year, the company announced.
Ledger will also end Blind Sign by June 2024.

Crypto hardware wallet maker Ledger plans to reimburse all users who lost funds in the recent Ledger Connect Kit exploit, according to an update the company published today.

Ledger’s pledge, shared with the public via its official X account, noted that this refund program will be extended to all victims of the exploit – including those not customers of Ledger.

A total of $600,000 was stolen during the December 14, 2023 attack on EVM dApps using the Ledger connect library.

We are 100% focused on following up to last week’s security incident, making sure incidents like this are prevented in the future, and that the ecosystem remains safe.

We are aware of approximately $600k in assets impacted, stolen from users blind signing on EVM DApps.

Ledger…
— Ledger (@Ledger) December 20, 2023

Reimbursement to be done by February 2024

A security incident report Ledger published on December 20 says the Connect Kit exploit had injected malicious code dApps. Users were tricked into signing transactions, allowing the attacker to drain their wallets. Although Ledger quickly detected the incident, a number of users had already fallen victim.

“Ledger will make sure victims affected will be made whole, and are committing to work with the DApp ecosystem to allow Clear Signing, and no longer allow Blind Signing with Ledger devices by June 2024,” the company noted via its official X account.

The commitment follows an earlier pledge by Ledger CEO & Chairman Pascal Gauthier that the hardware wallet maker will ensure all victims are made whole. Today’s announcement reaffirmed this:

“We commit, by any way possible, including gestures of goodwill, to make sure this is done by the end of February, 2024. We are already in contact with many impacted users and are actively working through the specifics with them.”

While users have been asked to revoke transactions authorised to affected dApps as part of “best security practices,” the company is looking to collaborate with developers and other industry players to support Clear Signing.

As opposed to Blind Signing, Clear Signing allows users to verify every transaction on their device. Ledger says it will end Blind Sign on its devices by June 2024.

The company has also assured users that its hardware devices and Ledger Live “were not made vulnerable by this exploit.