Although there are no reported cases of the attack being successfully deployed, the threat itself is very real. Today, Ledger urged users of its cryptocurrency wallets to take steps to avoid falling prey to the address spoofing attack.

Hardware wallets are regarded as one of the safest means of storing bitcoin and other cryptocurrencies. The USB cold storage devices eliminate the sort of attack vectors synonymous with being connected to the web. But to send funds or issue a receiving address, a hardware wallet has to be plugged in to an internet-enabled device, and researchers have discovered a vulnerability that affects Ledger devices at this stage. A newly published report reveals the way the MiTM attack would play out. It explains:

Ledger wallets generate the displayed receive address using JavaScript code running on the host machine…malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.