Security archive

Hardware wallet security incidents

A comprehensive, chronologically tracked history of security breaches, physical attacks, phishing campaigns, and supply-chain exploits across all major hardware wallet brands. Updated June 2026.

Brands tracked

Documented incidents

Remote seed extractions

~$600K

Funds lost (Connect Kit)

All incidents, latest first

LowPhishing

Phishing campaigns impersonating SafePal Support

Brand:SafePal

Date:Ongoing

Fake SafePal Telegram, X and email accounts routinely solicit seed phrases under the guise of support tickets.

Impact: Affects users who share their seed. Not a device flaw.
Status / Countermeasure: User-education problem industry-wide.

MediumFirmware Vulnerability

CONNECT smart-contract approval bug

Brand:Ledger

Date:March 27, 2024

A vulnerability in Ledger's CONNECT smart contract allowed unauthorized token approvals to be set on behalf of users in narrow conditions.

Impact: Roughly $484K of user funds at risk; Ledger and white-hat groups recovered the bulk of it.
Status / Countermeasure: Patched. Post-mortem published.

MediumData Breach

Third-party support portal breach (~66K users)

Brand:Trezor

Date:January 17, 2024

An attacker accessed a third-party customer-support tool used by Trezor and contacted ~66,000 users who had opened support tickets, posing as Trezor staff in phishing attempts.

Impact: No funds reported lost. Email addresses and ticket contents exposed.
Status / Countermeasure: Disclosed by Trezor within 24 hours. Vendor access revoked.

CriticalSupply Chain

Connect Kit supply-chain attack (~$600K drained)

Brand:Ledger

Date:December 14, 2023

A former Ledger employee was phished, giving the attacker push access to Ledger's NPM account. A malicious version of @ledgerhq/connect-kit was published and pulled in by hundreds of dApps (Sushi, Zapper, Revoke.cash, Kyber, etc.), injecting a wallet drainer into their front-ends.

Impact: Roughly $600,000 stolen from users who connected any wallet (not just Ledger) to affected dApps during the ~5-hour window. Hardware devices themselves were untouched.
Status / Countermeasure: Malicious package removed within hours. Ledger pledged to reimburse affected non-Ledger users and tightened internal NPM/2FA practices.

HighPhysical Attack

Unciphered extracts seed from Trezor T via voltage glitching

Brand:Trezor

Date:May 24, 2023

Security firm Unciphered published a video showing physical extraction of the seed from a passphrase-less Trezor T by glitching the STM32 chip. Requires physical possession, lab equipment and a few hours.

Impact: No remote risk. Anyone storing significant funds on a Trezor One/T without a strong passphrase is vulnerable if the device is lost or stolen.
Status / Countermeasure: Mitigation: BIP-39 passphrase. Cannot be patched on existing devices — chip is not a Secure Element. Trezor Safe 3 / Safe 5 add a Secure Element to address this.

DisputedPolicy / Trust

Ledger Recover key-shard backup controversy

Brand:Ledger

Date:May 16, 2023

Ledger announced an optional subscription that would let the Secure Element split and encrypt the seed into three shards held by Coincover, Ledger and EscrowTech for ID-based recovery.

Impact: No funds lost, but the disclosure that signed firmware can extract seed-derived material if the user opts in undermined the long-standing 'the seed never leaves the device' marketing and triggered a major trust crisis in the community.
Status / Countermeasure: Feature shipped as opt-in. Open-sourcing of more device code committed in response.

HighPhysical Attack

Unciphered — physical seed extraction from OneKey Mini

Brand:OneKey

Date:February 10, 2023

Unciphered demonstrated that the OneKey Mini's microcontroller could be glitched to dump the encrypted seed; the PIN could then be brute-forced offline.

Impact: Requires physical access. No remote exploit.
Status / Countermeasure: OneKey shipped a firmware patch that hardened anti-glitching countermeasures and later moved newer models to a Secure Element (OneKey Classic 1S, Pro).

HighPhishing

Mailchimp breach → mass phishing campaign

Brand:Trezor

Date:April 3, 2022

Attackers compromised Trezor's Mailchimp newsletter list and sent emails directing users to a fake 'Trezor Suite' download that asked for the seed phrase.

Impact: Unknown number of seed phrases harvested; multiple wallets drained.
Status / Countermeasure: Mailchimp account locked. Trezor migrated email infrastructure.

HighData Breach

E-commerce database breach (~1M emails leaked)

Brand:Ledger

Date:June 25, 2020

An attacker exploited an API key on Ledger's marketing site and exfiltrated roughly 1 million email addresses, plus ~272,000 detailed records including names, postal addresses and phone numbers of customers who had ordered hardware wallets.

Impact: The dataset was dumped publicly on RaidForums in December 2020. Customers were targeted with waves of phishing emails, SMS smishing and even physical threats sent to their home addresses. Hardware wallets and seed phrases were never compromised, but real-world safety of holders was.
Status / Countermeasure: Acknowledged. Class-action settled in 2024. Database remains in circulation.

HighPhysical Attack

Kraken Security Labs — STM32 voltage-glitching disclosure

Brand:Trezor

Date:January 31, 2020

Kraken Security Labs detailed a $75 attack against the Trezor One and Model T using voltage glitching to bypass read protection and recover the encrypted seed.

Impact: Same as above — physical possession required, mitigated by a strong passphrase.
Status / Countermeasure: Acknowledged. Same mitigation path.

HighPhysical Attack

Kraken Security Labs voltage-glitch attack

Brand:KeepKey (ShapeShift)

Date:December 10, 2019

Kraken Security Labs showed that a stolen KeepKey could be glitched to extract the encrypted seed in about 15 minutes for under $75 in equipment.

Impact: Physical theft scenario only. Passphrase mitigates.
Status / Countermeasure: No silicon-level fix possible on existing units. ShapeShift recommends using a BIP-39 passphrase.

What the history actually shows

No hardware wallet has ever had its seed extracted remotely. Every successful key-recovery attack to date has required physical possession of the device.
The biggest losses come from supply chains and phishing, not from chips. The Connect Kit attack and Ledger/Trezor/Mailchimp phishing waves account for far more user losses than any silicon-level exploit.
Secure Element matters for physical attacks. Every demonstrated physical seed-extraction has targeted devices without a certified Secure Element (legacy Trezor, KeepKey, OneKey Mini). A BIP-39 passphrase mitigates these attacks on existing hardware.
Your data is part of your threat model. The 2020 Ledger leak proved that buying a hardware wallet from a retailer that handles customer addresses introduces a real, non-cryptographic physical-safety risk.

Compare wallets by what actually went wrong

Our hardware wallet comparison weighs Secure Element design, air-gap, open-source status and shipping/data practices — not just specs.

See the full comparison →

Sources include vendor post-mortems, Unciphered and Kraken Security Labs public disclosures, Ledger and Trezor official statements, court filings and chain-analysis reports. This page tracks publicly disclosed incidents only — it is not exhaustive of internally patched bugs.