This article is more than three months old

How the Ledger hacker used ‘drainer-as-a-service’ to swipe $600k from DeFi users

How the Ledger hacker used ‘drainer-as-a-service’ to swipe $600k from DeFi users
Ledger has updated the compromised Ledger Connect Kit software to a genuine version, but recommends users wait 24 hours before using it again. Credit: Ruslan Ivantsov/Shutterstock
  • Ledger is the latest crypto company to fall victim to a phishing attack.
  • A hacker planted malicious software within the Ledger Connect Kit.
  • Comments left by the hacker in the malicious code shed light on how they conducted the attack.

Software created by crypto wallet provider Ledger and used by hundreds of DeFi protocols was replaced with a malicious version Thursday, draining over $600,000 in a two hour period.

Ledger confirmed the attack was the result of a hacker compromising one of its former employees via a phishing attack. After gaining access to Ledger’s internal systems, the hacker planted malicious software within the Ledger Connect Kit.

“We are filing a complaint and working with law enforcement on the investigation to find the attacker,” the post said.

The firm has since updated the compromised Ledger Connect Kit to a genuine version, but recommends users wait 24 hours before using it again.

According to pseudonymous onchain sleuth ZachXBT, the malicious software drained over $610,000 in the two hour period before it was stopped.

The attack didn’t just affect those using Ledger’s hardware wallets — anyone who sent an onchain transaction from a protocol using the connect kit on its site ran the risk of having their assets stolen.

DL News reached out to Ledger for comment but did not receive an immediate response.

“We’re definitely seeing more phishing attacks targeted at companies and retail users since the previous summer,” Igor Igamberdiev, head of research at trading firm Wintermute, told DL News.

Join the community to get our latest stories and updates

The Ledger Connect Kit incident is the latest example of that trend.

In August, North Korean hackers the Lazarus Group used phishing and social engineering techniques to steal $37 million from crypto payments provider CoinsPaid.

Then in September, crypto casino fell victim to a similar attack, which the FBI later confirmed the Lazarus Group was responsible for.


“This has become so serious that there is an entire niche of drainers-as-a-service like Inferno, Angel, and Monkey,” Igamberdiev said.

According to Igamberdiev, drainers — software programmed to transfer unsuspecting users’ crypto out of their wallets after they interact with it — has become big business in hacker circles.

Hackers can easily buy such software instead of having to code it themselves, lowering the bar to entry for would-be hackers.

Data compiled by Web3 anti-scam platform Scam Sniffer shows that hackers using Inferno Drainer, one of the most popular drainers, have stolen over $82 million from more than 100,000 victims.

A Telegram post from the Inferno Drainer’s creator said the project shut down on November 26, but would leave its servers running.

“We hope you can remember us as the best drainer that has ever existed,” the post read.

Igamberdiev said the Ledger Connect Kit hacker used another drainer, called Angel Drainer, to conduct the attack. But there’s good reason to believe the hacker was also familiar with Inferno Drainer.

“Thank you Inferno! <3,” read one comment the hacker left in the malicious Ledger Connect Kit code.

Update, December 14: This article was updated to specify that it was a former Ledger employee who was compromised via a phishing attack.

Have you joined our Telegram channel yet? Check out our news feed for the latest breaking stories, community polls, and of course — the memes.

Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at