Kraken Security Labs, the cybersecurity division of the popular cryptocurrency exchange Kraken, has unveiled two potential attacks against the Ledger Nano X hardware wallet, which have now been patched.

The attacks, according to Kraken’s cybersecurity arm, could see bad actors get access to victims’ computers, and use said access to install malware that would allow them to steal their cryptocurrency holdings.

The first attack, named Bad Ledger, would require the hacker to first tamper with the device before it was sold to the victim – something that can happen if the victim buys a Ledger from a seller on eBay, for example – to add a protocol that behaves like a keyword and can send malicious keystrokes to the victim’s computer.

In a video Kraken shared, cybersecurity experts use an infected Ledger Nano X to open their website on a computer.

The second attack, dubbed Blind Ledger, could see hackers run malicious code on a non-secure processor to turn off the Ledger Wallet’s display, even if the device was running on its battery. They could then use social engineering to convince a victim top press several buttons to trigger a transaction that would move the funds to the hacker’s address.

As the display would be disabled, the victim could not check the transaction was being sent to that wallet. To stay safe, Kraken recommends users only buy Ledger devices from trusted stores, always verify transactions on the Ledger Now wallet, and be wary of the devices acts strangely.

Ledger, in response to Kraken’s findings, upgraded its firmware to protect its users against these attacks.

Featured image by Alejandro Escamilla on Unsplash