Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events
No Result
View All Result
Cryip
No Result
View All Result
Home News Security & Hacks

Ledger Researchers Reveal Laser Flaw in Tangem Cards as Firm Downplays User Risk

Ledger Donjon demonstrated a laser-based password reset attack on Tangem cards, but Tangem says the costly, invasive process poses little risk to everyday users.

Saravana Kumar Mahendran by Saravana Kumar Mahendran
July 10, 2026
in Security & Hacks
0 0
Ledger Researchers Disclose Tangem Card Flaw

Created by Cryip

Share on FacebookShare on Twitter
MakeCryipCryippreferred onGoogle

Ledger’s security research unit has disclosed a physical attack that can reset the password on a Tangem hardware wallet card, potentially allowing an attacker to use the device to authorize crypto transactions.

Tangem acknowledged the laboratory demonstration but said the attack requires physical possession, specialist expertise and equipment worth about $250,000, making the risk to everyday users “virtually non-existent.”

Our comment on Ledger Donjon’s latest article. It describes a laser fault injection (LFI), a physical, lab-only attack technique that applies to secure elements in general, not something unique to Tangem.

It’s also worth noting that while Ledger Donjon presents itself as an…

— Tangem (@Tangem) July 9, 2026

Laser Attack Resets Card Password

Ledger Donjon researchers used a precisely timed laser pulse to bypass a recovery-state check in Tangem firmware running on the card’s EAL6+ secure element. The bypass allowed them to set a new password without the existing password or another card from the same wallet set. Once reset, the card could be used to sign transactions.

The attack:

  • Cannot be carried out remotely.
  • Requires the card to be physically dismantled.
  • Does not extract the private key.
  • Reportedly works even when password recovery is disabled.

Ledger said it reproduced the attack on two additional cards. After identifying the correct laser location and timing, each subsequent test took about two hours. The $250,000 estimate represents the laboratory setup, not the cost of attacking each card.

Related Story

Hackers Target Injective Wallet Keys Through Compromised npm Package

Malicious Injective SDK Package Targets Private Keys and Seed Phrases

July 10, 2026
Secret Network Proposes SCRT Move to Arbitrum as AI Exploit Risks Reshape Security Priorities

Secret Network Proposes SCRT Move to Arbitrum as AI Exploit Risks Reshape Security Priorities

July 8, 2026

Tangem Says Attack Is Not Practical

Tangem argued that an attacker would need to steal a card, expose its chip and operate precision fault-injection equipment. The process leaves visible damage and requires advanced hardware-security knowledge. The company also said the technique does not scale and presents almost no practical risk to everyday users. Ledger Donjon similarly acknowledged that the attack is relevant mainly when a card is lost or stolen.

The disclosure comes amid broader scrutiny of wallet security, though recent incidents have involved different attack methods. A counterfeit Ledger Live app on Apple’s Mac App Store reportedly stole about $9.5 million after victims entered their recovery phrases, making it a phishing attack rather than a hardware compromise.

Separately, a Cardano holder claimed that 2.3 million ADA left a Ledger-secured wallet without approval, but no widely shared on-chain evidence initially established the cause or showed that Ledger hardware had been breached.

Existing Cards Cannot Be Patched

Ledger said Tangem cards already in circulation cannot receive a firmware fix because the devices do not support firmware updates. Tangem has promoted immutable firmware as a security feature because it prevents malicious updates. The disclosure highlights the trade-off: removing the update mechanism reduces one attack surface but prevents vulnerabilities discovered later from being corrected remotely.

The finding also shows that EAL6+ certification does not automatically protect every software function running on a secure element. Ledger’s attack targeted Tangem’s password-recovery logic rather than extracting or breaking the private key. For most users, the disclosure does not represent an immediate online threat. Its primary relevance is to cards that are lost, stolen or deliberately taken from known high-value holders.

Disclaimer: Cryip is an independent media and research outlet providing news, data, and analysis on the cryptocurrency industry. Content is for informational and research purposes only and does not constitute financial, legal, tax, or investment advice. Cryptocurrency markets are volatile and past performance is not indicative of future results. References to specific assets, platforms, or incidents are for journalistic purposes only and do not imply endorsement, and readers assume full responsibility for their decisions.
Tags: crypto securityLedger

Related Posts

Hackers Target Injective Wallet Keys Through Compromised npm Package
Security & Hacks

Malicious Injective SDK Package Targets Private Keys and Seed Phrases

by Saravana Kumar Mahendran
July 10, 2026

A malicious version of a software tool used by Injective developers was designed to collect wallet private keys and recovery...

Read moreDetails
Secret Network Proposes SCRT Move to Arbitrum as AI Exploit Risks Reshape Security Priorities

Secret Network Proposes SCRT Move to Arbitrum as AI Exploit Risks Reshape Security Priorities

July 8, 2026
TRON Introduces Quantum-Safe Signatures

TRON Introduces Quantum-Safe Signatures Across Nile Testnet

July 3, 2026
Taiko Bridge Reopens After $1.7 Million Hack, Restores Cross-Chain Operation

Taiko Bridge Reopens After $1.7 Million Hack, Restores Cross-Chain Operations

July 2, 2026
Crypto Holder Loses 2.3 Million ADA from Ledger Wallet Without Signing Transaction

Crypto Holder Loses 2.3 Million ADA from Ledger Wallet Without Signing Transaction

June 27, 2026
Microsoft Uncovers Crypto Malware That Spreads Like a Worm and Hides Behind Tor

Microsoft Warns of CryptoBandits Malware Using USB Worm Tactics and Tor Network

June 19, 2026
US Lawmakers Unveil Stop Crypto ATM Scams Act

US Lawmakers Unveil Stop Crypto ATM Scams Act After Americans Lose $333M to Fraud

June 15, 2026
Next Post
AI Agents Now Have a New Internet Court to Settle Disputes

AI Agents Now Have a New Internet Court to Settle Disputes

Recommended

  • All
  • News
Ledger Researchers Disclose Tangem Card Flaw

Ledger Researchers Reveal Laser Flaw in Tangem Cards as Firm Downplays User Risk

July 10, 2026
Circle Receives Final OCC Approval to Launch National Trust Bank

Circle Wins Federal Approval to Launch Regulated Digital Asset Trust Bank

July 10, 2026
Binance CEO Says 70% of EU Crypto Withdrawals Now Go to Self-Custodied Wallets After MiCA

Binance CEO Says 70% of EU Crypto Withdrawals Now Go to Self-Custodied Wallets After MiCA

July 10, 2026
Ethereum Foundation Disbands Protocol Support Team

Ethereum Foundation Dissolves Protocol Support Team Amid Restructuring

July 10, 2026
Ethereum Foundation Disbands Protocol Support Team

Ethereum Foundation Dissolves Protocol Support Team Amid Restructuring

July 10, 2026
CodexField on BNB Chain Faces Rug Pull Allegations

BNB Chain Project CodexField Faces Rug Pull Claims After Abnormal Fund Transfers

July 10, 2026
Metaplanet Explores Digital Credit Using Bitcoin, JPYC, and Security Tokens

Metaplanet Explores Digital Credit Using Bitcoin, JPYC, and Security Tokens

July 10, 2026
Relay Warns of Scam Tokens Disappearing From Wallets on Robinhood Chain

Relay Warns of Scam Tokens Disappearing From Wallets on Robinhood Chain

July 10, 2026

Cryip focuses on crypto research and on-chain analysis, supported by coverage of markets, regulation, security events, and blockchain ecosystems.

Recent Posts

  • AI Agents Now Have a New Internet Court to Settle Disputes
  • Ledger Researchers Reveal Laser Flaw in Tangem Cards as Firm Downplays User Risk
  • Circle Wins Federal Approval to Launch Regulated Digital Asset Trust Bank

Categories

  • AI × Crypto
  • Data & Dashboards
  • DeFi Basics
  • Investing Basics
  • Market & Price
  • Market Updates
  • On-Chain Analysis
  • OpSec
  • Policy & Regulation
  • Post Mortems
  • Press Release
  • Reports
  • Scams & Fraud
  • Security & Hacks
  • Stablecoins
  • Tokenomics
  • VC & Funding
  • Wallets & Custody

Company

  • About Us
  • Contact Us
  • Editorial Standards & Integrity
  • Our Team
  • Privacy Policy
  • Review Methodology
  • Terms and Conditions
  • Trust, Disclosures & Independence

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • News
  • Research & Analysis
  • Reviews & Comparisons
  • Learn Crypto
  • Features
  • Events

© 2026 Cryip - Research-Driven Crypto Analysis & News by Hashlays.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.