Ledger researcher Donjon Baptiste Boualo revealed a vulnerability in Tangem hardware wallets. A laser fault injection attack can reset the card's password, granting control over the assets stored on it.
Tangem produces hardware crypto wallets in the form of plastic NFC cards, resembling bank cards. Inside is a secure chip that stores private keys and signs transactions when connected to a mobile app.
According to Ledger Donjon, the vulnerability affects all Tangem cards currently in circulation and cannot be patched, as the devices do not support firmware updates.
"[...] the attack is physical and invasive, so it cannot be conducted discreetly or return the card undamaged. The only real risk is a lost or stolen card; if it remains in your possession, the described attack cannot be executed," Boualo wrote.
How the Attack Works
Inside the Tangem hardware wallet is a Samsung S3D232A secure element certified EAL6+, responsible for generating, storing keys, and signing transactions. Communication with the mobile app occurs via NFC.
Access to funds is typically restricted by two factors: physical possession of the card and knowledge of the password. Tangem also has a recovery mechanism: if a user forgets their password, they can reset it with two linked cards.
At Ledger Donjon, the focus was on the logic of the SetPin instruction used during password changes. The researcher believes there is a check in the firmware to determine if the card is in a permitted recovery state. The laser fault injection disrupted this check, allowing the card to accept a new password without the old one or a backup card.
"By using a single nanosecond laser pulse directed at a specific area of the EAL6+ chip, Ledger Donjon demonstrated a fault injection attack against Tangem cards," the report states.
To prepare, the researcher opened the card, exposed the secure element, connected it to their own hardware platform, and used side-channel analysis to pinpoint when the critical check was executed. They then directed a laser pulse at the chip area associated with the instruction execution logic.
According to Boualo, once the parameters for a specific model are identified, each new attempt takes about two hours of preparation and execution. After resetting the password, the attacker can sign transactions and withdraw funds.
This attack requires not only a stolen or lost card. Ledger Donjon estimates that the experimental setup costs around $250,000. In addition to laser equipment, tools for side-channel analysis, expertise in hardware security, and preparation time are necessary.
Response from Tangem
Tangem described the risk to everyday users as "virtually nonexistent," as the scenario requires physical access to the card, expensive laboratory equipment, and expertise in hardware security, The Block reports.
"It is also worth noting that while Ledger Donjon presents itself as an independent research division, it operates within Ledger, one of our largest competitors. Their findings should be read with this in mind," the company stated.
Representatives also added that with sufficient time, funding, and access, the firmware of any secure element can be studied and potentially exploited.
At the same time, Boualo emphasized the limitations of EAL6+ certification. It confirms the secure element's resilience based on specific criteria but does not guarantee that the firmware logic above this chip is free from vulnerable checks.
"Software running on these chips must be developed with specific protection patterns in mind," he stated.
Among his recommendations, the expert highlighted the need for independent audits for critical operations, more robust state encoding, and additional protection for password changes, even if the recovery function is disabled.
In December 2023, Ledger users suffered due to the compromise of the Ledger Connect Kit—a library for connecting wallets to decentralized applications. The manufacturer later estimated the damage at approximately $600,000.
In June 2025, hackers targeted Trezor customers through a support form. The company emphasized that its systems had not been breached.
Recall that in April 2026, Ledger introduced the AI Security Roadmap 2026—a document outlining how the company plans to protect users in a world where AI agents autonomously conduct transactions, manage wallets, and access confidential data.
