Ledger Under Scrutiny: 30K USDC Vanishes from Air-Gapped Wallet

A crypto trader has gone public with an alarming claim that roughly 30,000 USDC vanished from his hardware-secured wallet on the Solana blockchain without any action on his part. 

The user, who goes by the username of Canissolan, shared a detailed post on X and laid out extreme precautions he took to protect his assets. The user insists that the recovery phrase for his Ledger device was never shared, photographed, digitized, or entered anywhere, still the funds were drained. 

He emphasized that his hardware wallet connects only to a dedicated MacBook bought specifically for Ledger use and no history of browsing, downloads, or connection to other crypto apps or sites. The device never even touched any other computer, and he hadn’t even opened the Ledger wallet for several weeks before spotting the drain. 

“I did not initiate, confirm, or sign any transaction authorizing this withdrawal,” he wrote, adding he’s “100% certain” no one gained physical access to the device or laptop. He discovered the transfer while checking blockchain records on Solscan, with the USDC moving out to Bitget, a leading crypto exchange. Notably, he held around 2,000 SOL in the same wallet, which remained untouched until he manually sent it to a centralized exchange afterward. 

The trader tagged Ledger support and blockchain investigator ZachXBT, demanding answers about how the transaction could occur under such locked-down conditions. He shared screenshots of his setup and transaction details to back his story.

Divided community opinions

Responses from the crypto community split quickly. Some users expressed sympathy and outrage, calling on Ledger to explain or even threatening to ditch their devices. Others pointed to a common Solana vulnerability where if a user ever approves a malicious transaction, an attacker can change the authority on specific token accounts like USDC. Once that happens, they can drain those tokens later without needing another signature from the owner. 

The case highlights ongoing questions about hardware wallet security on fast-moving chains like Solana, where user-approved actions can create lasting risks, even for those who follow strict protocols. At press time, Ledger had not yet publicly commented on this specific incident.

Update: Ledger’s response at 11:31 UTC

Ledger replied to the post on X, expressing sympathy while confirming that its team reviewed the on-chain data. They stated clearly that the transaction was cryptographically signed using the wallet’s private keys, which means it was physically approved directly on the Ledger hardware device itself via button presses. It ruled out remote hacks, recovery phrase leaks, or any hardware/firmware vulnerability in the Ledger device. Instead, Ledger attributed the incident to a common “blind signing” attack, where users are tricked—often via phishing sites posing as airdrops, NFT mints, or wallet verifications—into approving a seemingly harmless transaction that actually includes malicious instructions (like creating a new token account and transferring funds).

Ledger stressed, “This does not mean the recovery phrase was compromised, and it does not point to a vulnerability in the Ledger hardware. It does mean that at some point, a transaction was physically approved on the device. We’d strongly encourage you to continue working directly with our support team so we can walk through the full timeline together and help with next steps.”

The post ended with a reminder the community to always verify details carefully on the device’s secure screen using Clear Signing and to reject anything unexpected or untrusted.

Also read: Iran Crypto Withdrawals Surged 700% After US-Israel Airstrikes

Follow The Crypto Times on Google News to Stay Updated!