It’s been weeks since the crypto world has suffered a significant scandal—meaning we were probably overdue. And sure enough, Thursday brought yet another “you’ve-gotta-be-kidding” moment when hackers compromised software used to connect Ledger hardware devices to a variety of decentralized applications. This would be roughly equivalent to using a Web2 service like Facebook or Google to log in to a website, and then finding out the log-in code was compromised and that hackers could steal your account data.
The debacle was short-lived as Ledger issued an update to its software around five hours later, though cybersecurity folks are warning people to be cautious about interacting with apps for now. The hacker reportedly drained over $500,000 from various wallets, though, in a sign the crypto industry as a whole is behaving more responsibly, the stablecoin issuer Tether froze a portion of the stolen funds.
The upshot is that the financial fallout has been relatively minor, but the reputational damage—for Ledger and for crypto—is significant. That’s because many have long touted Ledger-style hardware devices as the apex of security, and the embodiment of crypto’s be-your-own-bank ethos. Now, this would-be fortress of security looks like just another company that is sloppy about protecting customer data.
The hackers reportedly pulled this off by sending a phishing email to a former Ledger employee, and then breaking into one of their software development accounts in order to distribute the malicious code. This is mind-boggling since Cyber Hygiene 101 calls for ensuring that the compromise of a single employee’s account—let alone an ex-employee’s account—does not provide access to critical code bases.
If you’re looking for an explanation for the debacle, it may lie in Ledger’s ambitions to be more than a provider of secure hardware wallets, and instead create a broader suite of services. This ambition is not surprising as most companies sooner or later seek to expand from the original niche where they made their name. But given that Ledger and the crypto world generally like to boast that Web3 technology is more decentralized and secure, this is a very bad look.
If there are any positives here, it’s that the crypto community has been quick to call out Ledger’s bad behavior and emphasize it can’t happen again. For now, though, let’s see if the industry can make it past the holidays without another scandal.
Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts
DECENTRALIZED NEWS
The Justice Department says it has disrupted an $80 million pig-butchering ring after arresting individuals in California who helped launder the proceeds, some of which came from crypto. (CNBC)
The SEC rejected a petition by Coinbase for a separate regulatory framework for the industry, saying its call for rulemaking was "unwarranted." (Fortune)
Following its big breakout last week, Bitcoin appears to have settled into a new trading band between $42,000 and $43,000. (CoinDesk)
The DeFi project SafeMoon filed for bankruptcy a month after its executives were accused of fraud, after reportedly raiding funds that customers believed were locked in a blockchain. (The Block)
A new dog-themed memecoin on Solana called BONK soared 40% in value after Coinbase listed it on its platform. (CoinDesk)
MEME O’ THE MOMENT
This is the web version of Fortune Crypto, a daily newsletter on the coins, companies, and people shaping the world of crypto. Sign up for free.