
Ledger Donjon researcher Baptiste Boileau disclosed a vulnerability in Tangem hardware wallets. A laser fault injection attack can reset the card’s password and gain control over the assets stored on it.
Tangem produces hardware crypto wallets in the form of a plastic NFC card, similar to a bank card. Inside is a secure chip that stores private keys and signs transactions when connected to a mobile app.
According to Ledger Donjon, the vulnerability affects all Tangem cards in circulation and cannot be fixed with a patch, as the devices do not support firmware updates.
“[…] the attack is physical and invasive, so it cannot be conducted covertly and return the card undamaged. The only real risk is a lost or stolen card; if it remains with you, the described attack cannot be executed,” Boileau wrote.
How the Attack Works
Inside the Tangem hardware wallet is a Samsung S3D232A secure element with EAL6+ certification, responsible for key generation, storage, and transaction signing. Communication with the mobile app occurs via NFC.
Access to funds is usually restricted by two factors: physical possession of the card and knowledge of the password. Tangem also has a recovery mechanism: if a user forgets the password, it can be reset with two linked cards.
Ledger Donjon focused on the logic of the SetPin instruction used when changing the password. According to the researcher, the firmware includes a check to see if the card is in an allowed recovery state. Laser fault injection allowed bypassing this check, enabling the card to accept a new password without the old one or a backup card.
“Using a single nanosecond laser pulse directed at a specific area of the EAL6+ chip, Ledger Donjon demonstrated a fault injection attack against Tangem cards,” the report states.
For preparation, the researcher opened the card, exposed the secure element, connected it to a custom hardware platform, and used side-channel analysis to determine the timing of the necessary check. Afterward, a laser pulse was directed at the chip area related to the instruction execution logic.
According to him, once parameters for a specific model are found, each new attempt takes about two hours of preparation and exploitation. After resetting the password, the attacker can sign transactions and withdraw funds.
The attack requires not only a stolen or lost card. Ledger Donjon estimates the experimental setup costs around $250,000. Besides laser equipment, side-channel analysis tools, expertise in hardware security, and preparation time are needed.
Tangem’s Response
Tangem described the risk to everyday users as “virtually non-existent,” since the scenario requires physical access to the card, expensive laboratory equipment, and expertise in hardware security, writes The Block.
“It is also worth noting that while Ledger Donjon presents itself as an independent research unit, it operates within Ledger, one of our largest competitors. Their findings should be read with this in mind,” the company stated.
Its representatives also added that with sufficient time, funding, and access, the firmware of any secure element can be studied and potentially exploited.
Meanwhile, Boileau emphasized the limitations of EAL6+ certification. It confirms the secure element’s resilience against certain criteria but does not guarantee that the firmware logic on top of this chip is free from vulnerable checks.
“Software running on these chips should be developed with specific protection patterns in mind,” he stated.
Among the recommendations, the expert highlighted several independent checks for critical operations, more robust state encoding, and additional password change protection, even if the recovery function is disabled.
In December 2023, Ledger users suffered due to the compromise of the Ledger Connect Kit—a library for connecting wallets to decentralized applications. Later, the manufacturer estimated the damage at approximately $600,000.
In June 2025, hackers attacked Trezor clients through a support form. At that time, the company emphasized that its systems were not breached.
In April 2026, Ledger introduced the AI Security Roadmap 2026—a document outlining how the company plans to protect users in a world where AI agents independently conduct transactions, manage wallets, and access confidential data.
