It's been weeks since the crypto world has suffered a significant scandal—meaning we were probably overdue. And sure enough, Thursday brought yet another "you've-gotta-be-kidding" moment when hackers compromised software used to connect Ledger hardware devices to a variety of decentralized applications. This would be roughly equivalent to using a Web2 service like Facebook or Google to log in to a website, and then finding out the log-in code was compromised and that hackers could steal your account data.
The debacle was short-lived as Ledger issued an update to its software around five hours later, though cybersecurity folks are warning people to be cautious about interacting with apps for now. The hacker reportedly drained over $500,000 from various wallets, though, in a sign the crypto industry as a whole is behaving more responsibly, the stablecoin issuer Tether froze a portion of the stolen funds.
The upshot is that the financial fallout has been relatively minor, but the reputational damage—for Ledger and for crypto—is significant. That's because many have long touted Ledger-style hardware devices as the apex of security, and the embodiment of crypto's be-your-own-bank ethos. Now, this would-be fortress of security looks like just another company that is sloppy about protecting customer data.
The hackers reportedly pulled this off by sending a phishing email to a former Ledger employee, and then breaking into one of their software development accounts in order to distribute the malicious code. This is mind-boggling since Cyber Hygiene 101 calls for ensuring that the compromise of a single employee's account—let alone an ex-employee's account—does not provide access to critical code bases.
If you're looking for an explanation for the debacle, it may lie in Ledger's ambitions to be more than a provider of secure hardware wallets, and instead create a broader suite of services. This ambition is not surprising as most companies sooner or later seek to expand from the original niche where they made their name. But given that Ledger and the crypto world generally like to boast that Web3 technology is more decentralized and secure, this is a very bad look.
If there are any positives here, it's that the crypto community has been quick to call out Ledger's bad behavior and emphasize it can't happen again. For now, though, let's see if the industry can make it past the holidays without another scandal.
Jeff John Roberts
jeff.roberts@fortune.com
@jeffjohnroberts
