§ Q & A · Self-Custody

Can a hardware wallet be hacked?

Short answer

Yes, with caveats. Hardware wallets defeat the most common attack — malware on the connected computer — almost completely. They are weaker against physical access with lab equipment and social engineering. The honest read: a hardware wallet is the cheapest security upgrade, not a magic shield.

Last updated · June 9, 2026

Yes, with serious caveats — and the honest answer matters more than the marketing answer. Hardware wallets are not magic. They defeat one specific class of attack very well (malware on the computer the wallet is connected to) and are progressively weaker against attack classes that require physical access, specialised equipment, or social engineering. A reader deciding whether to spend $79-$179 on a hardware wallet should know exactly what the device is buying them and what it isn’t.

This is the verify-positioned version of the answer. No shilling, no marketing language, real numbers, named incidents where possible.

The six attack classes that matter

Hardware wallet attacks fall into six rough categories, ranked from “common in the wild” to “almost never seen”:

1. Malware on the connected computer. A user’s Windows or macOS machine gets infected with clipboard-hijacker malware, address-substitution malware, or a Trojan that signs transactions silently. This is the most common self-custody loss in 2025-2026 by an order of magnitude. Hardware wallets defeat this attack almost completely because the device shows the real destination address on its own screen and requires you to confirm physically. A confirmation step on a screen the malware can’t reach is exactly the defence the threat model needs.

2. Counterfeit installer / phishing. A fake wallet app (the April 2026 Ledger Live App Store incident is the canonical case) tricks the user into signing a malicious transaction in the legitimate hardware wallet. The hardware wallet still defeats this if used correctly — the device shows the destination address on its own screen, and the user can refuse if it doesn’t match. The defence only works if the user actually reads the device screen before approving. Skipping that read makes the hardware wallet ornamental.

3. Social engineering of the user. Phishing emails, fake “support” agents, “give me your seed for free coins” Discord drops. No hardware wallet defends against this because the user themselves performs the destructive action. The only defence is education + skepticism.

4. Supply-chain attack. A device is intercepted between vendor and customer, modified, and resold. Trezor and Coldcard both ship in anti-tamper bags with serial number verification at first boot. Reasonably well defended in 2026, but the defence depends on the user actually checking the bag and serial number, which many don’t. Buying directly from the vendor (not Amazon, not a third-party reseller) reduces the surface area.

5. Physical extraction. A determined attacker who physically possesses the device for hours, with lab equipment, can sometimes extract the seed. The Kraken Security Labs 2020 disclosure showed that the Trezor One could be opened and its seed read via voltage glitching in about 15 minutes with $75 of equipment. Modern hardware wallets with a secure element (Trezor Safe 5, Coldcard Mk4, BitBox02) are dramatically better here — the secure element is a tamper-resistant chip rated EAL6+ that’s deliberately hard to read out, even with sophisticated equipment. Older devices without a secure element (Trezor One, original Trezor T) are vulnerable to this class of attack if the seed isn’t passphrase-protected.

6. Side-channel attack via the secure element itself. Researchers at Donjon (Ledger’s internal security research team) and academic groups have published attacks against secure elements over the years. These attacks typically require physical possession, expensive equipment, and weeks of access. In practice, not a meaningful threat to retail users — they’re not what stops you from getting drained.

What the threat model actually rules out

A hardware wallet does not defend against:

What it does defend against, very well, is the single most common loss vector: a compromised computer signing a transaction you didn’t intend. That’s worth $79 by itself for any self-custody amount above a few hundred dollars.

Real-world hardware-wallet incidents

For the historically-minded reader, the actual disclosures that shaped where the market is in 2026:

Trezor One — voltage glitching (Kraken Security Labs, 2020). Researchers physically opened a Trezor One, applied a voltage glitch to the STM32 microcontroller, and extracted the seed in about 15 minutes. Mitigation: passphrase or upgrade to the Safe 5 / Safe 3 with secure element.

Ledger Recover controversy (2023-2024). Ledger announced a firmware update enabling an opt-in seed-sharding recovery service that would split your seed across three shards held by third parties. The community read this as proof that Ledger’s secure element firmware could in principle be made to export the seed under vendor instruction — a violation of the implicit threat model. This is one of several reasons we don’t currently recommend Ledger for verify-positioned self-custody.

Counterfeit Ledger Live on Apple App Store (April 2026). A fake Ledger Live app passed App Store review, tricked users into entering seeds during a “Live verification” prompt, and drained an estimated $9.5M. The hardware wallets themselves were not hacked — the user-facing software was — but the lesson is that even hardware-wallet users need to verify what software they’re running. See our wallet installer SHA-256 verifier.

Coldcard supply-chain bag tampering (multiple low-impact incidents). Coinkite ships Coldcards in vacuum-sealed bags with serial numbers. Several users have reported receiving bags that looked re-sealed; in all reported cases, the buyer caught it at first inspection and the vendor replaced the device. Strong evidence that the anti-tamper system works when the user actually checks the bag.

No mass-scale hardware-wallet remote hack has been documented. This is the headline. Despite hundreds of millions of dollars in retail Bitcoin sitting on hardware wallets, there has never been a mass-scale remote attack that drained hardware-wallet users en masse. Every documented hardware-wallet loss has been either user error, supply chain, or single-device physical extraction — never a remote, mass-scale compromise of the device itself. That’s the strongest empirical evidence that the category works as advertised.

The honest verdict

A hardware wallet, used correctly, lowers your annual catastrophic-loss probability from the 5-15% range (typical hot-wallet usage on a moderately-exposed computer) to under 1%. That’s a factor of 5-15 improvement. It does not lower it to zero. The remaining 1% risk is mostly social engineering and physical-access scenarios where no hardware wallet alone helps.

The verify-positioned reading: hardware wallets are the cheapest single security upgrade self-custodians can make, and worth deploying for any amount above the threshold (~$200-500) where the device pays for itself. Skipping them is rarely worth it. Believing they’re a magic shield is exactly the wrong reaction to the headline above.

Primary sources

  1. Kraken Security Labs — Trezor One/T physical key extraction (2020) [1]
  2. Donjon (Ledger) — Hardware wallet research disclosures [2]
  3. Trezor — Wallet security overview [3]
  4. Coldcard — Anti-tamper bag + duress wallet docs [4]
  5. Chainalysis Crypto Crime Report 2025 [5]