Greetings to the readers. I suppose if you're reading this article, you're in some way connected to cryptocurrencies. Or have heard of Ledger. I hope this article will help you stay safe. After all, Ledger itself isn't concerned about the security of its users' crypto assets.
I will describe my situation, how I lost 100K USDT thanks to the uniquely secure Ledger Live app (the official mobile application).
“The smartest way to secure your crypto” - proclaims the slogan on their official website.
“Trusted by over 6 million customers” - and a significant number of users for the crypto sphere."
I can't judge how secure the wallet itself is. I use the Ledger Nano X. And if their website is to be believed, it's the most popular wallet in their arsenal.
So, let's get started. As it happened, the incident occurred just a few days after the hacking of their Ledger Kit. Not surprisingly, since security is far from their top priority.
But my story is about their Ledger Live - “The companion crypto app for your Ledger devices”.
The only question is, is it a companion for users or rather for hackers?
The thing is, I needed to transfer 140K USDT to one of my addresses. I decided to do it in two stages: first, I transferred 40K, and then I planned to transfer the remaining 100K. To my surprise, the 100K USDT transaction did not go through and was stuck in the app with the yellow status 'Sending' -100,000 USDT.
My first thought was, 'Maybe there's not enough TRX to pay the transaction fee,' since every transaction in Ledger Live is accompanied by the annoying message 'Energy is lower than necessary. You might pay up to 50 TRX in fees.' This so-called Energy is earned through staking TRX. Fee payments in the Tron network can be made by either using this energy or the TRX token. Why the user constantly needs to see information about energy when they plan to use TRX for gas payment is unclear. But that's beside the point.
Next, I topped up my TRX, went back in, and then I made my fatal mistake. Of course, if the creators really cared about security, they would have made a number of changes to the app, which I will write about later.
I clicked on the transaction that was stuck with the status 'Sending' and an amount of -100,000 USDT.
Who would have thought that such a transaction in my personal account - was actually not mine? Naturally, I saw the beginning and end of the address matching mine, but I didn't check the middle of the address.
'It's in my personal account, with the status Sending,' I thought. And at the same time, it occurred to me, 'Aren't there viruses that swap out data from the clipboard?'
I compared the copied address with the one I pasted - all good. Only, I didn't know that scam transactions to my wallet could be displayed in my personal account. Especially with the status 'Sending'.
And as you might guess, friends, I confirmed the transaction and gifted some hacker 100K USDT. Within seconds, they were already gone through a mixer.
My desired withdrawal address: TKnjLgWCY5200001tKDZSLREpD1mTdFaaX (I replaced the middle with zeros just in case)
Scam address: TKhgUSUVSkABHKdDiJkDLVhbKTxqTdFaaX
TX id: 5c5cbe5c30bc3a04df9b13cf5328e1e92b6c06af77d368c6718878972be4bdf5
Ledger, being so considerate, not only displays scam transactions but also helps to effortlessly copy addresses from the history. Just a couple of hours later, the transaction header 'Sending' and -100,000 USDT disappeared. The transaction became a dummy. A very interesting case.
Points
So, what's the point of this article? There are many fraudsters in the world, and in the crypto sphere, their number is countless. It's a paradise for hackers, scammers, thieves. I consider Ledger itself to be an irresponsible company. And now I understand why many, after using Ledger, refuse to use it. There are plenty of videos on the internet of people throwing it in the trash.
And as you can understand, such cases happen to people often enough. Could Ledger take steps to eliminate these security flaws? Of course. But for some reason, they don't. Perhaps it's not profitable for them?
Why don't they take the following steps:
1. Remove the ability to copy addresses from transaction history (the most basic method).
2. Add address filtering.
3. Highlight scam transactions (as many explorers and services do).
4. Add a list of approved addresses (where the user adds 'White addresses' similar to exchanges and other platforms. When sending to an address outside this list, a confirmation window should appear, where the address is written in large font, stating that 'The address is not on your list of approved addresses', and it is recommended to recheck thoroughly.
5. For frequent interactions with the same address - add it to the list of frequently used addresses.
Instead, they have plenty of advertising in the app about various staking variations, their referral systems, and more.
Ledger Support call this 'Address Poisoning' (address poisoning). It's a very popular thing.
Here is a link to their article, which was last updated in August 2023. Nearly 5 months have passed since then, and the company has not taken any steps towards eliminating vulnerabilities.
Here is another article of theirs, where their Software Architect describes the process of Address Poisoning. But it states that attackers use Transfer tokens with a zero amount from people's addresses. Supposedly, Ledger is constantly improving its system of countermeasures. But in my case, the transfer was not zero at all. It was exactly matching the amount of the transfer.
Of course, in their response letter, support attached a link to the user agreement. Naturally, it contains a disclaimer from the company's side, as well as shifting all responsibility to the user. So if in the Ledger Live app you get their window saying 'Here's your address for sending funds', where the company inserts its own address for sending funds - it's your and only your responsibility that you didn't double-check. No matter what is written in the app.
I consider my case to be absolutely analogous - a scam transaction in the app was marked:
- with a Pending status,
- matching transaction amount - 100,000 USDT.
The vast majority of users would consider this transaction as sent from their address and think that it is in the queue for execution (or failed to execute).
And finally. What widespread distribution of the product can we talk about? In their opinion, everyone who uses it knows or should know about Address Poisoning. I hope that after my article, you will stop using Ledger. And if you were just considering it, you will abandon this idea.
Take mobile banking as an example. If you choose someone from your contact list and transfer money to them - can there be a situation where the bank's app shows someone else's details with those credentials? I plan to sue the company and file a complaint with regulatory authorities. Such lawlessness should not exist. Either they should care about the security of their financial application - or they should pay fines and go away to play in the sandbox.
P.S.: Thank you for reading! Be careful and cautious when sending transactions. And make choices in favor of those services and companies that are interested in the security of their service and work for the benefit of clients.
For me, Ledger is an example of a company that is completely irresponsible and turns a blind eye to such problems. Constant hacking of their services and losses of clients (Ledger Kit). My goal is to spread this case to the widest possible audience so that everyone learns about the company's attitude towards its customers.