Hacker Dumps Crypto Wallet Customer Data; Active Attacks Follow

Customer data from a June attack against cryptocurrency wallet firm Ledger is now public and actively being used in attacks.

On Monday a hacker dumped sensitive data stolen earlier this year from the Ledger cryptocurrency wallet’s website. The data was put up for grabs on sites frequented by criminals. And in a twist that surprised no one, the data is now actively being exploited in phishing campaigns.

Researchers at security firm Cyble discovered files from the Ledger leak published Monday on a hacker forum, according to a report in BleepingComputer.

An archive includes two files named “All Emails (Subscription).txt” and “Ledger Orders (Buyers) only.txt” that contain sensitive data from the breach. The first includes email addresses of 1,075,382 people who subscribed to the Ledger newsletter, according to the report.
2020 Reader Survey: Share Your Feedback to Help Us ImproveThe “Ledger Orders (Buyers) only.txt” reveals more sensitive data, as it contains the names and mailing addresses for 272,853 people who purchased a Ledger device, researchers told BleepingComputer.

What is on the Line

Ledger offers a hardware-based cryptocurrency wallets–secured by a 24-word recovery phrase and an optional secret passphrase that only the owner knows–where clients can store, manage, and sell cryptocurrency. Cryptocurrency wallets are designed to store the public and private keys used to receive or spend a specific cryptocurrency, and considered a safer alternative than storing this information on a computer.

A Ledger spokesperson told Threatpost in an email Monday that “the dumped content may be Ledger’s e-commerce database that was exposed during the data breach in June 2020,” although the company is still investigating.

“This database may be used by scammers for phishing attacks through emailing and text message campaigns,” the spokesperson said.

Ledger has been working to notify affected users via Twitter and responding to customer questions, while also reporting all tweets and Reddit posts that contain a link to the database, the spokesperson told Threatpost. In the meantime, the company is urging users to never share their 24-word phrase, and keep in mind that no one from the Ledger team would request that private information.

June Breach Blamed

Ledger officials became aware of a breach that occurred in June on July 14 when a researcher participating in its bug bounty program informed them of a potential issue with the company’s website, according to a blog post the company made on July 29.

While the initial attack was quickly mitigated, the cryptocurrency wallet was attacked again on June 25 “by an unauthorized third party who accessed our e-commerce and marketing database,” the company said.

The files access consisted mainly of email addresses but also contact and order details for clients to whom Ledger sends order confirmations and promotional emails. At the time, Ledger assured clients that their “payment information and crypto funds are safe.”

The company worked an external security organization to conduct a forensic review of the attack and confirmed that it impacted only 9,500 individuals, all of whom were personally contacted by Ledger Support, the spokesperson told Threatpost.

Origins of the Attack

The original hack traces back to an API key that gave an unauthorized third party access to part of Ledger’s e-commerce and marketing database. The company disabled the key soon after learning of the situation, officials said.

Still, there is evidence that threat actors have used the emails stolen from Ledger to target clients with phishing attacks, according to research from ProofPoint. Attackers use messages claiming to be from the company informing them that their Ledger assets may have been compromised or are at risk in some way.

If a victim takes the bait, the attackers backdoor the Ledger Live application, which allows them to steal users’ recovery phrases which in turn can be used by an actor “to generate a copy of the user’s private keys, allowing them to steal any digital currencies associated with those private keys,” according to ProofPoint.

Juicy Target

Indeed, cryptocurrency wallets have been a target for threat actors due to the potential for financial gain. And while they are indeed considered a secure place for users to store their cryptocurrency assets, researchers in 2018 proved that wallets such as Ledger and Trezor are vulnerable to a number of different types of cyber attacks.

Threat actors seem to have since taken that info and run with it. Before the July attack on Ledger, researchers discovered widespread campaigns spreading malicious browser extensions abusing Google Ads and well-known cryptocurrency brands including Ledger to lure victims and eventually steal their cryptocurrency wallet credentials. Other wallets targeted in the campaign included Electrum, Exodus, Jaxx, KeepKey, MetaMask, MyEtherWallet and Trezor.

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles

Discussion

  • James Hardin on

    That is the reason I cannot rely on bitcoin business.
  • Daniel on

    "the attackers backdoor the Ledger Live application, which allows them to steal users’ recovery phrases" I think this is inaccurate. The point of the ledger device is that the private keys (or seeds/passphrases) can't leave the device. The user must confirm every transaction on the device. (Unless if the attackers are able to overwrite the wallet app on the device and show false information about the transaction.)
  • Bitcoiner on

    @Daniel, phishing attacks direct users to a look-alike site that uses cyrillic letters that are difficult to distinguish from real domain. they they get users to download a 'secure' update of the app which then looks exactly like the ledger live app but prompts the users for the recovery seed, which of course is sent to the hackers. And this is only one confirmed phishing attack from this breach. This attack is a very sophisticated phishing attack that would likely fool many even paranoid ledger customers.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.