Ledger Security: A Complete Analysis of the World’s Largest Hardware Wallet Maker
Ledger has sold more hardware wallets than any other manufacturer, with over six million devices shipped since the company was founded in Paris in 2014. That market dominance makes Ledger’s security posture a matter of broad importance — millions of users trust their Bitcoin and other crypto assets to Ledger’s architecture. This analysis examines Ledger’s security model, its track record of incidents, the ongoing debates around its design philosophy, and what current and prospective users should understand.
Ledger’s Security Architecture
Ledger’s hardware wallets — the Nano S Plus, Nano X, and the newer Stax and Flex — all share a common security architecture built around a certified Secure Element chip.
Secure Element (CC EAL5+ certified): Ledger uses ST Microelectronics secure element chips (the ST33 series) that hold Common Criteria EAL5+ certification. These chips are the same class used in passports and banking cards. The secure element stores private keys and performs all cryptographic operations in an isolated environment. It is designed to resist physical attacks including decapping, power analysis, and fault injection. This is a genuine security advantage — the secure element is hardened silicon, not a general-purpose microcontroller.
BOLOS Operating System: Ledger developed its own operating system called BOLOS (Blockchain Open Ledger Operating System) that runs on the secure element. BOLOS provides application isolation, meaning each cryptocurrency app runs in its own sandbox. A vulnerability in the Ethereum app, for example, should not compromise the Bitcoin app. BOLOS also handles the secure display pipeline, ensuring what you see on screen is what the secure element is actually signing.
Proprietary firmware: The firmware running on Ledger’s secure element is proprietary and closed-source. Ledger argues that the secure element manufacturer’s NDA prevents them from open-sourcing this code, and that the EAL5+ certification process provides equivalent assurance through third-party auditing. This is the central tension in Ledger’s security story, and we will examine it in detail below.
For a broader view of how different wallet architectures compare, our article on the evolution of Bitcoin wallet architecture covers the design tradeoffs across the industry.
The Closed-Source Debate
Ledger’s firmware for the secure element is not open source. This is a fundamental philosophical divide between Ledger and competitors like Trezor, Coldcard, and Blockstream Jade, all of which publish their firmware source code.
Ledger’s position is straightforward: the secure element NDA restricts disclosure, and the EAL5+ certification means the code has been audited by accredited labs. They argue that publishing source code for a secure element could actually reduce security by giving attackers a roadmap.
The counterargument is equally direct: users cannot verify what the firmware does. The EAL5+ certification audits functionality and resistance to specific attack classes, but it does not audit for intentional backdoors or privacy violations. Users must trust Ledger’s engineering team and the certification lab — they cannot verify for themselves. In Bitcoin’s ethos of “don’t trust, verify,” this is a significant gap.
The Ledger Recover incident in 2023 (detailed below) brought this debate to a sharp point: firmware running on the secure element was updated to include functionality that could export seed phrase fragments over the internet. Because the firmware is closed-source, users had no way to inspect or object to this capability before it shipped. The deeper implications of open versus closed source are explored in our article on the ethics of open source in Bitcoin hardware security.
Timeline of Security Incidents
2020 Database Breach
In June 2020, a researcher reported a vulnerability in Ledger’s e-commerce and marketing database. Ledger disclosed that an attacker had accessed their Shopify integration and stolen the email addresses of approximately 1,072,000 newsletter subscribers and the full personal details — including names, physical mailing addresses, and phone numbers — of approximately 272,000 customers who had purchased devices.
In December 2020, the full database was dumped publicly on RaidForums. This was catastrophic. Ledger customers’ home addresses were now publicly linked to their ownership of cryptocurrency hardware wallets. The consequences were immediate and severe.
Post-Breach Phishing and Physical Threats
Following the data dump, Ledger users were targeted by sophisticated phishing campaigns. Attackers sent emails and physical mail that impersonated Ledger, including fake replacement devices preloaded with modified firmware. Some users reported receiving physical threats and extortion attempts at their home addresses. At least one case of a violent home robbery targeting a known crypto holder was linked to the leaked data.
This incident illustrated a risk unique to hardware wallet manufacturers: the customer database itself is a high-value target. Knowing that someone bought a hardware wallet means they likely hold significant cryptocurrency. The combination of name, home address, and email provides everything an attacker needs for targeted phishing or physical coercion. Understanding how these threats overlap with chain analysis techniques is covered in our privacy and chain analysis guide.
2023 Connect Kit Supply Chain Attack
In December 2023, a former Ledger employee fell victim to a phishing attack that compromised their credentials for Ledger’s npm package repository. The attacker injected malicious code into the Ledger Connect Kit — a JavaScript library used by decentralized applications (dApps) to connect to Ledger devices. The malicious version redirected transaction approvals to the attacker’s wallet, resulting in approximately $484,000 in stolen funds before the attack was detected and the package was reverted.
This attack did not compromise the hardware wallet itself or the secure element. It targeted the software supply chain around the device. But it demonstrated that Ledger’s security perimeter extends far beyond the hardware, and a single compromised employee credential could impact users across the ecosystem. The broader implications of supply chain attacks on hardware wallets are discussed in our analysis of side-channel and supply chain attack risks.
2023 Ledger Recover Controversy
In May 2023, Ledger announced Ledger Recover, an optional firmware feature that would allow users to back up their seed phrase by splitting it into three encrypted fragments (using Shamir’s Secret Sharing), which would be held by three separate custodians: Ledger, Coincover, and EscrowTech. Recovery would require identity verification through those custodians.
The backlash was immediate and intense. The core objection: the firmware update proved that Ledger’s secure element firmware could extract and transmit seed phrase material over the internet. Even though Recover was opt-in, the capability existed in the firmware running on every updated device. Users who did not opt in to Recover still had firmware on their secure element that was technically capable of exporting their seed.
Ledger’s CTO publicly stated that this capability had always existed in theory — that any firmware update could potentially include such functionality — and that users had always been trusting Ledger not to do this. Many users found this argument alarming rather than reassuring. It highlighted the fundamental limitation of closed-source firmware: you cannot verify what it does, and Ledger had just demonstrated a willingness to add seed export functionality.
Ledger later committed to open-sourcing portions of the Recover protocol and accelerating their open-source roadmap, but the core secure element firmware remains closed as of early 2026.
January 2026 Global-e Third-Party Breach
In January 2026, Ledger’s order fulfillment partner Global-e experienced a data breach that exposed customer shipping information for Ledger purchases. Names, shipping addresses, email addresses, and order details were compromised. While the scope was smaller than the 2020 breach, it reopened the same fundamental wound: Ledger customers’ physical addresses were again in the hands of attackers.
This second breach of customer data — this time through a third-party logistics provider rather than Ledger’s own systems — underscored that the customer data problem is structural, not incidental. Any company that ships physical products maintains shipping data across multiple partners, any of which can be compromised.
Physical Security Analysis
Setting aside the data breach and firmware controversies, Ledger’s physical device security is strong. The secure element provides genuine protection against physical extraction attacks. An attacker who steals a locked Ledger device faces serious obstacles:
- The PIN is enforced by the secure element, with increasing delays after failed attempts and a device wipe after too many failures
- The secure element resists physical probing, power analysis, and fault injection at the EAL5+ level
- Extracting keys from the ST33 secure element without the PIN would require nation-state-level resources and is not a practical attack for ordinary thieves
This is meaningfully different from wallets built on general-purpose microcontrollers (like older Trezor models), which are more vulnerable to physical extraction via voltage glitching. The secure element is a real security feature, not marketing.
Supply Chain Security Concerns
Ledger devices are manufactured and shipped from multiple locations, passing through various logistics partners. Given the two customer data breaches, attackers know exactly who is receiving Ledger devices and where. This creates a targeted supply chain risk: intercepting a specific person’s shipment and replacing it with a modified device.
Ledger implements anti-tampering measures — a cryptographic attestation check at first boot verifies the device is genuine. When you connect a new Ledger to Ledger Live, it checks the device’s authenticity against Ledger’s servers. This is effective against casual tampering but relies on the closed-source attestation process working correctly and on the user actually performing the check.
The Ledger Recover Debate in Detail
Ledger Recover deserves deeper examination because it represents a philosophical shift in hardware wallet design. Traditional hardware wallets follow a simple principle: private keys are generated on the device and never leave the device. Recover breaks this principle by design — it exports seed material, albeit encrypted and fragmented, to third-party custodians.
Ledger’s argument for Recover is pragmatic: most people lose access to their Bitcoin not through theft but through lost or damaged seed backups. A custodial recovery option, gated by identity verification, saves more funds than it risks. This is probably true at a statistical level for the broader market.
The Bitcoin community’s objection is principled: the entire point of self-custody is eliminating third-party trust. Recover reintroduces it. Worse, the capability exists in the firmware whether or not you opt in, which means you are trusting Ledger not to activate it without consent (or not to be compelled by a government to activate it).
For users who want seed backup solutions that do not involve firmware-level export capabilities, multisig configurations offer a more trust-minimized approach. Our article on multisig security architecture and recovery protocols covers these alternatives.
Comparison with Open-Source Alternatives
Understanding Ledger’s position requires comparing it with the open-source alternatives:
Trezor (Safe 3, Safe 5): Open-source firmware, published hardware designs. The Safe 3 added a secure element (Optiga Trust M) but the firmware interfacing with it is open source, unlike Ledger. The tradeoff is that Trezor’s older models without a secure element were vulnerable to physical extraction attacks that Ledger devices resisted.
Coldcard MK4: Open-source firmware, partially documented hardware. Uses dual secure elements (Microchip ATECC608B) for key storage. Bitcoin-only. The firmware is available on GitHub and has been reviewed by multiple independent security researchers.
Blockstream Jade: Fully open-source firmware and hardware designs. Uses a virtual secure element model where the secure element functionality is implemented through a blind oracle interaction with Blockstream’s servers (or a self-hosted server). A different approach to the same problem.
Foundation Passport: Open-source firmware (MIT license) and hardware (CERN OHL). Uses a secure element but with open-source firmware interfacing. One of the most transparent hardware wallet projects available.
The pattern is clear: it is possible to use a secure element while keeping the firmware open source. Ledger’s claim that the NDA prevents open sourcing is increasingly undermined by competitors who have found ways to use secure elements with open-source code. For a deeper comparison, see our 2026 hardware wallet buying guide.
Risk Mitigation for Current Ledger Users
If you already own and use a Ledger device, here are concrete steps to reduce your risk exposure:
- Assume your purchase data has been compromised. If you bought directly from Ledger at any point, operate under the assumption that your name and address are known to attackers. Be vigilant about phishing emails, text messages, and physical mail claiming to be from Ledger.
- Never enter your seed phrase into any software or website. Ledger will never ask you to do this. Any email, app, or website requesting your seed phrase is a scam. This is the single most common attack vector against Ledger users.
- Consider not updating to firmware that includes Recover. This is a personal risk assessment. Older firmware versions do not include the seed export capability. However, staying on old firmware means missing security patches. There is no clean answer here.
- Use a passphrase. Even if the Recover functionality were activated on your device, the BIP39 passphrase is not stored on the device and would not be captured. A passphrase-protected wallet adds a layer that is independent of the device firmware.
- Consider migrating to a multisig setup. If your Ledger is one key in a 2-of-3 multisig, a compromise of the Ledger alone does not compromise your funds. This is the strongest mitigation available. Our guide on multisig wallet configurations covers practical implementation.
- Use Sparrow or Electrum instead of Ledger Live. Ledger Live connects to Ledger’s servers and shares your xpub (which reveals all your addresses and balances) with Ledger. Using Sparrow with your own Bitcoin node eliminates this privacy leak.
Should You Still Buy a Ledger?
This is where analysis meets opinion, and reasonable people disagree. Here is a balanced assessment:
Arguments in favor: The secure element provides best-in-class physical security. The devices are well-built, user-friendly, and widely supported by third-party software. Ledger has a large security team and the resources to respond to vulnerabilities quickly. For users who accept the closed-source tradeoff and want the strongest protection against physical device theft, Ledger remains a strong option.
Arguments against: Two customer data breaches in six years is a pattern, not a fluke. The Recover firmware controversy demonstrated that Ledger is willing to add seed export capabilities to the secure element, and the closed-source firmware means users cannot verify what future updates will do. The supply chain attack on the Connect Kit showed that Ledger’s security extends beyond the device into a broad attack surface. Open-source alternatives now match or exceed Ledger’s security in most categories except physical tamper resistance of the secure element — and even that gap is narrowing.
The bottom line: If you prioritize physical security and ease of use, and you accept the trust model of closed-source firmware, a Ledger device is a reasonable choice. If you prioritize verifiability, transparency, and alignment with Bitcoin’s “don’t trust, verify” ethos, the open-source alternatives are a better fit. Either way, the device you choose matters less than how you use it — proper seed backup, passphrase usage, and operational security practices are where most wallet security is actually won or lost. Our guide on cold storage and risk management architecture covers these foundational practices.
Ledger vs Trezor: Best Hardware Wallet from the
Bitcoin Wallets & Self-Custody course.
Frequently Asked Questions
Has the Ledger secure element ever been cracked?
No known public attack has successfully extracted private keys from a locked Ledger device’s secure element through physical means. Security researchers including wallet.fail and Kraken Security Labs have demonstrated attacks on the non-secure-element MCU (which handles the screen and button inputs), but extracting keys from the ST33 secure element without the PIN has not been publicly achieved. This does not mean it is impossible — state-level actors may have unpublished capabilities — but it has not been demonstrated in the public security research community.
Is Ledger Recover mandatory?
No. Ledger Recover is opt-in and requires the user to actively subscribe to the service, provide identity documents, and confirm the setup on-device. It is not enabled by default. However, the firmware code that enables the seed export capability is present on all devices running firmware version 2.2.1 and later. The distinction is between the capability existing in the code and the feature being activated by the user. Users who are concerned about the capability can remain on older firmware versions, though this means forgoing security patches.
Should I be worried about my data from the 2020 breach?
Yes, and permanently. The 2020 database was published publicly and is now permanently available. If your purchase information was in that database, your name, email, physical address, and the fact that you own cryptocurrency hardware are known. This data does not expire. You should treat any communication claiming to be from Ledger with extreme suspicion, use a PO box or forwarding address for any future crypto-related purchases, and consider the physical security implications of being a known hardware wallet owner.
Can I use a Ledger device without Ledger Live?
Yes. Ledger devices work with Sparrow Wallet, Electrum, and other third-party wallet software. You can manage your Bitcoin entirely without Ledger Live. The primary advantage of using third-party software is privacy: Ledger Live connects to Ledger’s servers with your xpub, which means Ledger can see all your addresses and balances. Sparrow connected to your own Bitcoin node eliminates this leak. The only task that currently requires Ledger Live is firmware updates and installing new cryptocurrency apps on the device.
How does Ledger compare to Trezor for physical security?
Ledger has historically held an advantage in physical security due to its EAL5+ secure element. Older Trezor models (One, Model T) use general-purpose microcontrollers that are vulnerable to voltage glitching attacks, allowing physical extraction of the seed if an attacker has the device. However, the Trezor Safe 3 and Safe 5 added a secure element (Infineon Optiga Trust M), significantly closing this gap. The key remaining difference is that Trezor’s secure element integration is open source, while Ledger’s is not. For detailed comparisons across all major devices, see our evolution of Bitcoin self-custody article.
You may also find our Bitcoin seed phrase security guide useful.
{“@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [{“@type”: “Question”, “name”: “Has the Ledger secure element ever been cracked?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “No known public attack has successfully extracted private keys from a locked Ledger device’s secure element through physical means. Security researchers including wallet.fail and Kraken Security Labs have demonstrated attacks on the non-secure-element MCU (which handles the screen and button inputs), but extracting keys from the ST33 secure element without the PIN has not been publicly achieved. This does not mean it is impossible — state-level actors may have unpublished capabilities — but i…”}}, {“@type”: “Question”, “name”: “Is Ledger Recover mandatory?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “No. Ledger Recover is opt-in and requires the user to actively subscribe to the service, provide identity documents, and confirm the setup on-device. It is not enabled by default. However, the firmware code that enables the seed export capability is present on all devices running firmware version 2.2.1 and later. The distinction is between the capability existing in the code and the feature being activated by the user. Users who are concerned about the capability can remain on older firmware …”}}, {“@type”: “Question”, “name”: “Should I be worried about my data from the 2020 breach?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “Yes, and permanently. The 2020 database was published publicly and is now permanently available. If your purchase information was in that database, your name, email, physical address, and the fact that you own cryptocurrency hardware are known. This data does not expire. You should treat any communication claiming to be from Ledger with extreme suspicion, use a PO box or forwarding address for any future crypto-related purchases, and consider the physical security implications of being a know…”}}, {“@type”: “Question”, “name”: “Can I use a Ledger device without Ledger Live?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “Yes. Ledger devices work with Sparrow Wallet, Electrum, and other third-party wallet software. You can manage your Bitcoin entirely without Ledger Live. The primary advantage of using third-party software is privacy: Ledger Live connects to Ledger’s servers with your xpub, which means Ledger can see all your addresses and balances. Sparrow connected to your own Bitcoin node eliminates this leak. The only task that currently requires Ledger Live is firmware updates and installing new cryptocur…”}}, {“@type”: “Question”, “name”: “How does Ledger compare to Trezor for physical security?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “Ledger has historically held an advantage in physical security due to its EAL5+ secure element. Older Trezor models (One, Model T) use general-purpose microcontrollers that are vulnerable to voltage glitching attacks, allowing physical extraction of the seed if an attacker has the device. However, the Trezor Safe 3 and Safe 5 added a secure element (Infineon Optiga Trust M), significantly closing this gap. The key remaining difference is that Trezor’s secure element integration is open source…”}}]}
