Hackers Exploit Ledger Moderator Account to Spread Phishing Links

Airdrop Is Live CaryptosHeadlines Media Has Launched Its Native Token CHT. Airdrop Is Live For Everyone, Claim Instant 5000 CHT Tokens Worth Of $50 USDT. Join the Airdrop at the official website, CryptosHeadlinesToken.com This latest attack follows previous phishing campaigns, including fake Ledger-branded letters that were sent to customers in April. Ethereum’s latest Pectra upgrade also introduced a dangerous vulnerability via EIP-7702, enabling off-chain signatures that could allow hackers to take control of wallets without user confirmation. This raised some major concerns among security researchers who even called the threat critical. On the BNB Chain, Mobius Token (MBU) suffered a $2.15 million exploit when a malicious smart contract drained millions of tokens and converted them into stablecoins. Ledger Users Targeted AgainHardware wallet provider Ledger confirmed that its Discord server has been secured after an attacker compromised a moderator’s account on May 11. The attacker used it to post malicious links that were aimed at tricking users into revealing their wallet seed phrases. According to Ledger team member Quintin Boatwright, the breach was quickly contained. The compromised moderator account was removed, the malicious bot deleted, the scam website reported, and all permissions were reviewed and locked down to prevent further abuse. However, some community members alleged that the attacker misused moderator privileges to ban and mute users who were trying to report the breach, which may have delayed Ledger’s initial response.The scam involved a message claiming a newly discovered vulnerability in Ledger’s systems and urged users to verify their seed phrases through a fraudulent link. Users were then prompted to connect their wallets and follow fake on-screen instructions, which posed a serious risk of fund loss. While it is still unclear if any users fell victim to the scam, screenshots of the deceptive messages were widely circulated on X.This latest phishing attempt follows a troubling trend. In April, scammers sent physical letters to Ledger hardware wallet owners, urging them to enter their recovery phrases via QR codes under the guise of a security check. These letters had official branding and references to make them appear legitimate. Some recipients speculated that the mailings were linked to a July 2020 data breach, where the personal information of more than 270,000 Ledger customers—including names, phone numbers, and addresses—was leaked online. The year after the breach, several users reported receiving fake Ledger devices rigged with malware. Overall, it seems like Ledger customers are being specifically targeted by sophisticated scammers.Pectra Update Introduces Dangerous FlawIt’s not only Ledger users who should be cautious. Ethereum’s recent Pectra network upgrade, which went live on May 7, introduced powerful new features intended to boost scalability and enhance smart account functionality. However, it also exposed a serious new attack vector that could allow hackers to drain user wallets using nothing more than an off-chain signature. At the heart of the issue is EIP-7702, which is a key part of the upgrade that enables users to delegate control of their externally owned accounts (EOAs) to a smart contract by signing a message — without needing to submit an on-chain transaction.This change allows attackers to exploit unsuspecting users through phishing attempts or fake apps. If a malicious actor obtains a valid signature, they can use the SetCode transaction (type 0x04) to install code in the victim’s wallet that redirects calls to a contract under the attacker’s control. From there, they can transfer ETH or tokens out of the wallet without the user ever authorizing a typical transaction. Security researchers like Arda Usman and Yehor Rudytsia confirmed that this risk is immediate and critical. Smart contracts that depend on legacy assumptions, like tx.origin checks, are now vulnerable.What makes this attack particularly dangerous is how easily it can be deployed through ordinary off-chain interactions — Discord messages, phishing websites, or fake DApps. Wallet interfaces that do not properly display or interpret the new transaction type are especially at risk, and signatures can even be reused on any Ethereum-compatible chain due to the potential for chain_id = 0 signatures. Rudytsia explained that from now on, even hardware wallets are vulnerable to signing malicious delegation messages.Users are urged not to sign messages they don’t understand, especially those involving account nonces or unrecognized formats. Wallet developers must adapt quickly by integrating signature parsing and clear warnings for delegation attempts, as the messages enabled by EIP-7702 often bypass existing standards like EIP-191 and EIP-712.While multisig wallets offer more protection due to the need for multiple approvals, single-key wallets still have to evolve to detect these new threats. Alongside EIP-7702, the Pectra upgrade also included EIP-7251, increasing the validator staking cap to 2,048 ETH, and EIP-7691, which improves layer-2 scalability by increasing the number of data blobs per block. Unfortunately, the unintended consequences of the delegation mechanism are already proving to be a top security concern.Mobius Token Hit by ExploitMeanwhile, more than $2.15 million in digital assets was stolen from the Mobius Token (MBU) smart contracts on the BNB Chain after a targeted exploit on May 11, according to blockchain security firm Cyvers Alerts. The attack was executed with precision, beginning just minutes after the deployment of a malicious smart contract. Cyvers flagged this as suspicious before the exploit took place.The attacker initiated the exploit using wallet address 0xb32a53... at approximately 07:33 UTC, just two minutes after deploying the malicious contract. The exploit targeted a victim wallet identified as 0xb5252f... and successfully drained 28.5 million MBU tokens. The stolen tokens were then quickly converted into USDT stablecoins, which resulted in a total loss of $2,152,219.99. Cyvers confirmed that the attacker used the contract address 0x631adf... to carry out a series of malicious transactions.The security firm labeled the exploit as “critical,” due to the suspicious contract logic and abnormal transaction behavior that was used by the hacker. For now, the attacker’s wallet remains active, and the stolen funds have been deposited to Tornado Cash.This exploit is part of a broader trend of escalating crypto thefts in 2025. According to a report from blockchain security firm PeckShield, April alone saw close to $360 million in crypto assets stolen across 18 major hacking incidents. This was a staggering 990% increase in losses compared to March, when just $33 million was lost to hacks. One of the most serious events that contributed to April’s total was an unauthorized transfer of $330 million in Bitcoin, later confirmed to be the result of a social engineering attack targeting an elderly US resident.Overall, the Mobius Token exploit serves as another stark reminder of the urgent need for improved contract auditing and real-time threat detection systems across DeFi platforms.Source link