The rise of digital assets has reshaped the concept of financial ownership, while creating a never-ending arms race between asset holders and cybercriminal organizations. In that context, hardware wallets — also known as cold wallets — have long been considered the "gold standard" for self-custody. However, data analysis and security events in the period 2024-2025 have shaken this absolute trust.
According to the team of experts at Tan Phat Digital, although these devices are designed to isolate private keys from the internet environment, they are not impregnable fortresses. Potential risks go beyond the hardware itself and branch out to user error, vulnerabilities in the software and physical supply chains, and sophisticated laboratory attack techniques.
Chapter 1: Cryptocurrency Security Risk Landscape 2024-2025
The cryptocurrency world enters 2025 with alarming statistics. In just the first half of 2025, the total value of assets stolen in crypto-related crimes reached nearly $1.93 billion, surpassing the total for all of 2024 and putting 2025 on track to become the worst year in history for digital asset loss. This increase not only reflects the rising market value of assets but also shows the professionalization of hacker groups, especially those with country links such as North Korea's Lazarus.
A notable trend is the shift of targets from large exchanges to individual wallets. As services focus on improving security standards and complying with new regulations, attackers find individuals to be "softer" targets. The use of artificial intelligence (AI) and large language modeling (LLM) tools has helped cybercriminals automate and sophisticated phishing campaigns, causing successful attack rates to skyrocket.
Crypto Security Index H1 2025 vs. 2024:
Total value stolen: 2024 recorded approx. 2.01 billion USD. However, in just the first 6 months of 2025, this number has jumped to 2.17 - 2.3 billion USD, showing a strong growth trend even though time has only passed half.
Number of security incidents: There will be 410 incidents in 2024. In H1 2025, this number drops to 200 incidents. This reflects the fact that the frequency of attacks has decreased, but the scale and effectiveness of damage per incident has skyrocketed.
Phishing attack rate: Compared to the base level of 2024, this rate has increased by 40% in early 2025.
Proportion of individual wallets attacked: Increased from less than 20% in the year 2024 to 23.35% by mid-2025, confirming that individuals are becoming a central target.
See more: Are cold wallets safe Absolutely not?
Chapter 2: The Achilles Heel of Cold Wallets - Human Errors
The most common cause of losing money in hardware wallets is not due to technical errors of the device but from the users themselves. Hardware wallets protect private keys, but they cannot protect users against fraud or malpractice in process management.
Seed Phrase Compromise
The Secret Recovery Phrase (SRP), typically 12 or 24 words long, is the master key to generating every address and private key in the wallet. The core principle of cold wallets is that SRP is only displayed on the device's screen and must be stored completely offline. However, many users have violated this rule by:
Taking a photo of the SRP and saving it in the phone photo library or saving it on cloud services (iCloud, Google Drive).
Type the SRP into note-taking applications or send it via email/message.
Enter the SRP into fake websites under the lure of phishing campaigns
Attackers today use specialized malware that can scan the entire file system to search for files with a format similar to the seed phrase. When users accidentally store SRP digitally, they turn a "cold" wallet into a "hot" wallet, stripping away any security advantages of the hardware.
Phishing and Social Engineering
Phishing in the crypto space has evolved from rudimentary emails to extremely convincing customer support impersonation campaigns. A typical example in May 2025 showed criminals using internal bribes to obtain user data, then impersonating support staff to trick customers out of tens of millions of USD.
For hardware wallet users, phishing scenarios often revolve around asking users to "update firmware", "authenticate wallet", or "recover account after crash". Attackers create websites that look identical to Ledger or Trezor, luring users into entering SRP. Once this information is exposed, all control of the assets will immediately transfer to the attacker.
Chapter 3: Blind Signing - Information Gaps and Smart Contract Traps
Blind Signing is a condition in which a hardware device cannot decode the complex data of a smart contract into human-readable language on a small screen.
When a real user currently transacting on the dApp, a string of hex code will be sent to the wallet for signing. Since the device lacks analytics logic for all contract types, it only displays general messages like "Data Present". This process creates an "information gap" between the computer interface (which can be manipulated to display fake information) and what the device is actually signing.
Common exploit scenarios include:
Infinite Token Approval: Grants the attacker permission to withdraw the entire balance at any time.
NFT Sweeping: Full Transfer NFT value to the attacker's address.
The ByBit incident in 2025 is a clear example when a blind transaction signing error led to a loss of 1.5 billion USD due to the inability to accurately verify parameters at the time of signing.
See more: Can a hacked wallet get your money back?
Chapter 4: Software Supply Chain Attack - When Trust is Betrayed
Supply chain attack targets intermediaries or mail software library that wallets and dApps depend on. Tan Phat Digital recognizes that the JavaScript/NPM ecosystem is a particularly lucrative target.
The malware in these libraries operates very sophisticatedly:
Environment detection: Checks for the presence of Web3 wallets.
Traffic interception: Tracks every incoming request wallet.
Address swapping: Uses the Levenshtein algorithm to find the attacker's address whose first and last characters are most similar to the target address (fuzzy matching), making it difficult for users to detect.
Pre-signing manipulation: Changing transaction parameters right in memory before sending to the hardware wallet.
The incident Ledger Connect Kit late 2023 is a prime example where an attacker gained access to a former employee's NPM account to release a malicious version, causing massive damage in just a few hours.
Chapter 5: Physical Supply Chain Risks and Counterfeit Devices
Unlike software, physical attacks occur during the manufacturing or shipping process. Researchers discovered counterfeit Trezor Model T devices with casings glued instead of ultrasonic welded. Inside, the original microcontroller was replaced with another chip that had traces of manual soldering, and the firmware was modified to disable security checking mechanisms, using seed phrases created by the attacker.
In addition, the Voltage Glitching vulnerability (voltage interference) is also a threat. By generating short electrical pulses, an attacker can cause the microcontroller chip to bypass security check command lines or leak flash memory contents. This creates a loophole for sophisticated attacks where the firmware can be changed before the device reaches the user.
Chapter 6: Physical Attacks in the Lab - Side Channel and EMFI Analysis
Once an attacker has physical access, they can use specialized equipment to extract confidential information:
Side Channel Analysis (SCA): Measures power consumption or electromagnetic emissions to deduce the bits of the secret key. Using the Hamming weight model, an attacker can recover strong cryptographic keys in just a few minutes.
Electromagnetic Fault Injection (EMFI): Uses a probe that emits high-intensity electromagnetic pulses to cause execution errors. A famous example is the well-timed EMFI pulse injection of the Trezor's on-chip USB length comparison, causing the device to leak the entire flash memory contents containing the recovery phrase.
Chapter 7: Address Poisoning - When Transaction History Becomes a Trap
Address Poisoning (address poisoning) takes advantage of the habit of copying addresses from transaction history. The attacker creates a "vanity" address with the same first and last characters as the victim's usual address, then sends a small amount of assets so that this fake address appears first in the list of recent transactions.
Actual data shows the huge scale:
More than 270 million attack attempts recorded on Ethereum and BSC from 2022 to 2024.
More than 17 million wallets were targeted.
Criminals successfully appropriated more than $83.8 million through erroneous money transfers.
Chapter 8: Advanced Security Architectures and Defenses
To protect assets, users and organizations need to deploy multi-faceted strategies floors:
1. Multi-Signature (Multisig):
Risk Resistance: Eliminates single weakness. If a device is lost or fails, funds can still be accessed using the remaining keys.
Diversification: Use devices from different manufacturers to protect against a single carrier's system vulnerabilities.
2. Using Passphrase (25th character):
Physical protection: Even if the original 24 words are extracted, the attacker still cannot see the assets without the passphrase.
Alibi denial: Allows setting up a decoy wallet with a small amount of money to protect a large amount of assets.
3. Clear Signing Standard:
The EIP-712 standard allows structured data to be displayed, helping users accurately check the destination address, token type, and quantity before confirming.
Comparing security features:
Singlesig: Simple management but no protection Seed Phrase exposed or user error losing seed. The level of physical theft protection is low if the PIN code is not strong enough.
Multisig (Multi-Signature): Very good security against the risk of Seed Phrase exposure and device theft. There is backup capability when encountering seed loss errors, but the management process is quite complicated.
Using Passphrase: Good protection against the risk of disclosure 24 from recovery and physical attacks. Moderate complexity, but high risk if the user forgets the passphrase because it will be impossible to restore assets.
Chapter 9: Frequently Asked Questions (FAQ) about Hardware Wallet Security
1. How is Passphrase (25th character) different from Seed Phrase (recovery phrase)? Seed Phrase is the original key consisting of 12-24 words to create a wallet. A passphrase is an additional word or string of characters that you set yourself. Without a passphrase, Seed Phrase can only open an "empty wallet" or decoy wallet. This protects you even if the Seed Phrase is exposed.
2. How to check if my Ledger wallet is genuine? You should use the "Genuine Check" feature in the Ledger Live app. Each genuine Ledger device contains a secret key set at the factory to prove its origin through an encrypted authentication process upon connection.
3. What is "Blind Signing" and why is it dangerous?Blind signing occurs when your wallet cannot display transaction details (like amount, receiving address) in human-readable form, but only displays unknown hex code. An attacker can trick you into signing a withdrawal order while your computer screen displays an innocent transaction.
4. Should I buy hardware wallets from unofficial e-commerce platforms? Absolutely not. Devices from unofficial sources are at high risk of physical supply chain attacks, such as chip replacement or pre-installed malicious firmware to steal funds as soon as you load them.
5. How did the $1.5 billion Bybit hack happen in 2025?The attacker (Lazarus group) took control of Safe{Wallet}'s web infrastructure to change the user interface. When Bybit administrators made the transaction, they were tricked into signing a command that changed the multisig contract logic, granting full control of the wallet to the hacker.
6. What is the "Dark Skippy" attack? This is a sophisticated type of firmware malware. It manipulates the "nonce" (one-time-use number) values in the transaction signature to insert a Seed Phrase part there. After only a few transactions are broadcast online, hackers can scan the blockchain and recover your entire Seed Phrase.
7. Can a person take my money if they get hold of a physical hardware wallet? Maybe, if they have in-depth knowledge and lab equipment. Techniques such as Power Analysis or Voltage Glitching can extract the secret key from the microcontroller chip if the device does not have strong Secure Element protections.
8. Why is Multisig (multi-signature) more secure than regular wallets? Because it eliminates the single point of weakness. For example, with a 2-of-3 configuration, you need 2 different devices to sign transactions. If a device is broken or a Seed Phrase is lost, the hacker still cannot get the money and you can still recover the asset with the remaining 2 parts.
9. How does Address Poisoning trick users? Hackers send a very small amount of money from an address whose first and last 4-5 characters are identical to yours or a relative's address. The goal is for you to mistakenly copy this fake address from your transaction history for future money transfers.
10. How does EIP-7702 affect hardware wallet security? EIP-7702 allows an ordinary wallet (EOA) to temporarily function as a smart contract. While convenient (like bundling multiple transactions), it creates risks if users are tricked into "delegating" their wallets to a malicious contract, leading to loss of control.
11. Is Trezor Safe 3 wallet still safe after Ledger Donjon's report? Trezor affirms that Safe 3 is still safe for the majority of users who buy from genuine sources. However, it has a physical vulnerability in the microcontroller against Voltage Glitching attack. The best protection is to use a long PIN and always use a Passphrase.
12. What is a "Burner Wallet" and what is it used for? This is a secondary wallet (can be a hot wallet or a secondary address on a hardware wallet) that holds only a small amount of funds. You should use this wallet to interact with new dApps or mint NFTs so that if there is a risk of blind signing, the damage will be limited.
13. Is "Wrench Attack" common? The year 2025 saw a sudden increase in physical attacks (forcing users to hand over keys). This is a risk that cannot be solved technically, it can only be minimized by anonymization or using a geographical multisig configuration (devices in different places).
14. What's special about the TROPIC01 chip in Trezor Safe 7? This is the world's first open source security chip (Secure Element). It allows the community to test chip designs to ensure there are no backdoors from the manufacturer, while still protecting against physical attacks.
15. Should I update the firmware at a moment's notice? Usually yes, because updates often patch new security vulnerabilities (like the Ledger Connect Kit issue). However, always check the announcement on the company's official website before doing so to avoid fake updates from hackers.
Hardware wallets are still the safest tool, but its safety depends on human operating procedures. Tan Phat Digital emphasized that the biggest risk today does not lie in the blockchain's encryption but in the exposed interfaces.
The 2024-2025 era shows that cybercriminals have shifted to exploiting psychology and weak links in the supply chain. To protect assets, users should not just "buy and forget" but need to build strict security habits: absolutely do not store digital seed phrases, prioritize Clear Signing, and use multi-signature architecture for high-value assets.
Share
