Hardware Wallet Risk Iceberg: From User Error, Phishing Scams, Privacy, Backdoors & Nation States

Added: 2026-05-07

[00:00:00]So, just a quick demo to start, and you'll see that if we connect this Raspberry Pi running Pi Trezor here and let that boot, that Trezor Suite is going to throw all sorts of warnings about this device.

[00:00:13]There we go. Basically telling us that this device may be a counterfeit or may have been compromised. But interestingly, if I just unplug that and instead connect this DIY Trezor One I made back in this video over here, you'll see that Trezor Suite is actually perfectly happy, and I can even apply an official firmware update onto this DIY device.

[00:00:41]And there we go. And if you're wondering actually how that was possible and whether it has anything to do with your hardware wallet, basically in this video, I'm just going to run through what I'm calling the hardware wallet iceberg. And the idea here is basically just to use this as a bit of a framework to talk about some of the different risks for hardware wallets starting at the top with stuff that is, you know, simple and common, going all the way down uh through things like privacy, supply chain attacks, and even uh you know, hardware state-level backdoors and things like that. Along the way, I'll be running through some different examples of these types of attacks, what you can do to mitigate against them, and also how this all fits together with different tradeoffs that different vendors and projects make in terms of the product that they are giving them to use. Again, this whole thing is not about trying to make you think, you know, everything is insecure, everything's been hacked, or whatever, but just helping you to understand uh what the risks are, how likely they are, and sometimes uh the issues you can run into if you over-fixate on a particular risk that you're trying to avoid while perhaps just blindly wandering straight into another one. So, let's get into it.

[00:01:44]And if you haven't already done so, hit subscribe and that way you can stay in the loop with content I make to help you find your way in the crazy and hostile environment that is cryptocurrency. So, before we start descending down into the depths of the iceberg, the very first thing I wanted to actually mention that is a key risk for all types of wallets is user error. And uh basically that often comes into a few key categories that I often see uh in things like recoveries and support sessions that I do. And the first is over-engineering, and this is where someone maybe has watched a bunch of videos online, read a bunch of blog posts, and has decided to do the most complicated, most obscure security setup they can possibly think of. This is a recipe for disaster. Uh another big one that I see is memorization. And what this primarily looks like in the sorts of recoveries that I do is where people have enabled a BIP 39 passphrase. So again, for a lot of wallets, that is itself an advanced feature and is over-engineering, but if people don't write down their BIP 39 passphrase and forget it, they've lost access to their funds. The other basic one is damaged backups. So, whether that is uh paper backups that are damaged by water or that they haven't transcribed correctly or something like that, uh that can be a problem. And the other big one that causes people to lose funds is when they have stored their recovery phrase for their hardware wallet in a digital way. So, maybe they've just sort of picture of it in the cloud, maybe they have just typed it into a Word document, stored it in an email, or printed it out or something like that.

[00:03:11]So, the next thing we're going to look at is fraud and social engineering. And this is something that is uh very common, very easy to find, and can happen in a variety of ways. The one that continues to crop up time and time again over the years is fake versions of wallet software. And basically what all of these fake apps do is as soon as you open them, they just prompt you to enter your seed phrase. They might have some sort of scary error message or something like that to try and prompt you to panic and do it in a hurry, but fundamentally they are all the same. They are all chasing your seed phrase. Now, the other risk that is worth mentioning when it comes to fake wallet software for hardware wallet users is blind signing.

[00:03:45]Uh and again, that's mostly related to DeFi and things like that. Uh but again, uh anytime you are blind signing anything, you're pretty much just hoping that the software you're using is safe.

[00:03:55]One type of attack, which is actually a really old one, is pre-initialized wallets where people can have a legitimate hardware wallet, but they can include with it a pre-initialized seed phrase or even a just pre-initialized device. Another slight variation of this one is something like malicious documentation. They might ship retail hardware, but have some different paperwork in there that directs you away to download a malicious version of the wallet software where you might just punch in the seed phrase and give it away. And the other big one that is very common at this level of fraud and social engineering is fake support. And uh if you're someone who's ever had a problem with your hardware wallet and have posted a question about it on a public forum, you've probably been inundated with private messages from scammers with random links to click on websites. These things are really common, but again, at the end of the day, just like with fake software, they're pretty much always just going after your seed phrase. Now, the key thing with all of these fraud and social engineering-based attacks is they are all almost completely mitigated by simply buying your hardware wallet directly from the original vendor. By making sure that when you set it up, you go to the official vendor's website and read the documentation from there and make sure that it matches what you're being told on the device. Uh and again, a lot of newer devices will also step you through the setup process on the physical device itself, uh often now including things like hardware genuine checks, and we'll talk a little bit more about that a bit later. Understand that you never need to give your 24-word seed away, not to your wallet software, not to a support person, not to some random website on the internet. Any documentation that tells you to enter it in as part of setting up for whatever obscure wallet or chain you're trying to use or uh fork that you're trying to claim, you know, is trying to scam you.

[00:05:35]And that the only place you should ever be entering your 24-word recovery phrase is on your hardware device using the screen on it, using the buttons on it, not using your computer, not using your phone. The next level of risks we are going to look at is those that relate to privacy and operational security. You know, the big ones are often related to purchase or customer data leaks. And the key thing here is this isn't just about the vendor retaining information, but you also need to consider not only the e-commerce platform or website that's collecting your information, any potential newsletter that they might sign you up to, who the payment processor is, and finally who the shipping partner is that the hardware wallet vendor is using to ship this thing through to your door. Any one of these points can leak information about the entire customer base of that vendor, which is again something that has happened in the past and will continue to happen in the future. And the big problem here is that having information about which hardware wallet you have allows scammers to send you much more convincing phishing material. Whether it's an actual letter that is posted to your home address, targeted emails, you know, or even phone calls, all of these things can be very personalized and fine-tuned to you. In terms of how you obtain hardware wallets, this stuff can actually be mitigated if you have a hardware wallet that you could say buy in a bricks-and-mortar store just with cash. Maybe you could buy one at a conference or even just do simple things like get it shipped to some other address other than your house uh or with some other name other than your actual name and your actual address. And the other thing to mention in maximum privacy is that this is one of the key areas where DIY hardware wallets can play an important role. Just using commodity off-the-shelf hardware that you can just buy, you know, off Amazon or AliExpress or any sort of electronic shop to be able to build your own hardware wallet without revealing to the entities you're buying it from what you're actually trying to make with it.

[00:07:21]One of the other challenges here is that while official vendor-supplied software can be a helpful way to ensure that what you're using is safe and legit and avoid some of the issues in the previous section, uh vendor-supplied software may itself collect information and logs about you, about your wallet balances, uh and about all of this sort of stuff that the vendor may at some point decide that it is useful to share with third parties or even resell. The great thing here is that any decent hardware wallet will allow you to use it with third-party wallet software, allowing you to be able to operate your hardware wallet without sharing information about what you are storing or what you are doing with your wallet vendor. And depending on how paranoid you want to be, who you want to remain private from, you can also go one step further and not only use third-party software with your hardware wallet, but also run your own node so that you don't need to be communicating with any other external entity about the balance of your wallets. The other thing I will also just briefly mention is address reuse in that there are an increasing number of hardware wallet vendors where for coins and chains like Bitcoin, rather than give you a new address every time you hit receive, some of these vendors now will just keep you using the same address over and over again, meaning that anyone who sends you funds or anyone who you send funds to can see your entire wallet balance, uh creating a situation where perhaps you're revealing more about uh your own finances and affairs than you had intended to do. So, the next level down of risks takes us to supply chain. So, this level is really very much about, you know, what is the trust that you're placing in your vendor? What is the trust you're placing in the hardware you actually have in your hands? And this is where uh I'm going to talk about tampered hardware. So, basically this thread just popped up on Reddit a few weeks ago, and basically someone had bought a Ledger device just off a Chinese marketplace and thought it was a bit strange that it wasn't quite behaving as normal. And when they opened it up, they actually found that it was a completely different hardware setup running inside. Though, the key thing here with this fake is that it also had fake documentation and fake software that went with it to make it look as though it was passing the genuine check uh for Ledger. And this is one of those places where different hardware vendors through their design choices actually have made quite different decisions in terms of how hardware security is guaranteed, if at all. So, for example, uh if you take a Ledger device like this one here that I reviewed uh a couple of weeks ago or any Ledger device, uh basically they have cryptographic verification of the hardware. They do a genuine check against cryptographic keys uh every time you connect them to Ledger Live to make sure that this isn't actual Ledger device made by Ledger that you have. Uh, whereas devices, for example, like a Coldcard actually don't have any hardware genuine check. And this was actually one of the criticisms that Ledger had of Trezor for a number of years. The important thing to say is that newer Trezor devices are not trivially cloned like the original Trezor T or Trezor One. But the point remains uh that different hardware vendors with their different uh genuine checks or again complete lack thereof, uh do have very different approaches to be able to guarantee or not uh the hardware security of your device. Maybe they're just using a few security seals, maybe they're using a tamper-evident bag, or maybe they're actually fully cryptographically validating the hardware from the factory all the way to your desk. This is also a good spot to mention tampered firmware. And the key thing here is that retail hardware wallets, you know, whether Ledger, Trezor, Coldcard, will generally only accept firmware that has been officially released and cryptographically signed by the vendor. And the idea here is these physical hardware devices have protections in place to prevent some random person from loading malicious firmware onto your hardware wallet. But the thing they don't prevent against is the company itself releasing malicious firmware. That could be because of a disgruntled staff member, it could be that a company has had a breach and actually lost control of their signing keys. The other thing that's worth mentioning here are bugs in the firmware. And these have existed in the past. Uh, and this is one of the ways where having an air-gapped device can actually be helpful. And there's one thing for a bug to exist in the firmware, but to actually exploit that bug and extract data using it uh is often an entirely separate process, especially if that device is air-gapped.

[00:11:41]It makes it much harder to exploit those bugs uh that may exist. And this category of thing is also where we would consider backdoors in the firmware. And uh particularly for projects that might be closed source, we could call these undocumented features in the firmware that may exist uh that may not be documented uh that we frankly would have no way of knowing that they are in there. This area is also why a lot of vendors will use open-source models and reproducible builds so that you as an end user or the community collectively can verify that the firmware you are flashing onto your hardware device actually matches the source code that is on GitHub. Whereas with other closed source devices like Ledger, essentially we don't actually know what is running on the device. Essentially, we just have to trust that the vendor is doing the right thing and hope for the best. And the very last thing we'll talk about, which is really getting down into the depth, uh you know, actual intentional backdoors and uh attacks on the devices based on essentially the physics of the electronics in your hardware wallet. So, I'll just mention side channel attacks first. And so basically side channel attacks are looking at ways that, for example, you can monitor the power usage of the device. You might be able to look at sort of RF emissions from the device and to be able to uh work out information about the internal processes running on it uh or the keys even uh on the device itself. These generally require someone to either physically have the device or have something special connected to the device while you are using it. Though again, these days you can actually embed all sorts of uh interesting uh software and hardware in a USB cable itself. These things make for a really impressive headline, but the question of whether actually it's applicable to you or not uh is really up for debate. Now, the other thing we can talk about down in the deep depths of paranoid types of risks are other kind of intentional backdoors that might be in the hardware on your hardware wallet even below uh what the actual vendor is using. Uh backdoors in things like the random number generation on the hardware. Again, the the vendor may not even be aware of this. This is one of the reasons why a number of different hardware wallets will allow you to do things like generate a seed using dice.

[00:13:52]So, you just want to make sure you have at least enough entropy in there to keep it safe. As well as to mix uh entropy from the system RNG in with entropy from other sources, which is what devices like Trezor do. Uh or if you're feeling extra paranoid, you could also add a passphrase on top of that as long as you don't go then increasing the risk of just mucking it up by trying to memorize the passphrase and forgetting it. In terms of other backdoors in the hardware, while this might sound paranoid, you know, intelligence services have had a history of attempting these kinds of things in the past. And this kind of concern is precisely why uh various uh hardware vendors, for example, from China uh being sort of kicked out of markets like the US uh in terms of mobile infrastructure, routers, uh and things like that. And this is also a place where DIY hardware wallets can have a role to play just because uh using commodity off-the-shelf parts that you, you know, gather and assemble yourself makes it harder for your specific hardware to be targeted with something that might introduce a deliberate modification, a deliberate backdoor, or something else uh which again would be much easier to do in situations where the shipments of this hardware are known to be going to a company who'll be making uh these kinds of devices and also having an idea about what kind of firmware will be running on top of them.

[00:15:07]In terms of the possibility of the actual encryption uh schemes themselves uh being backdoored or having some weakness, there are reasons why, for example, uh some people and organizations will avoid things like the NIST ECC curves uh that, for example, uh is not one of the ones that is sort of suspect. But for an actual end user, there's really not much you can do about this or any reason to really worry yourself about it. And the key thing to mention when you get down to these depths is that if, you know, state-level actors who have the resource to make custom malicious modified hardware uh targeting you uh individually, then you have bigger problems to worry about. And uh yeah, you're pretty much stuffed if that's the case. So, there you go. That is the full sort of hardware wallet risk iceberg that I put together. And again, I think it's a helpful way just to talk about some of the different risks that are involved and just to understand a bit more about some of the different tradeoffs that exist when different vendors and different projects prioritize addressing certain risks, uh especially at those times when they come at the expense uh of others. At the end of the question about which hardware wallet is best doesn't really make a lot of sense, but it is helpful to ask, you know, which hardware wallet or which approach best addresses the kinds of threats and risks that you think uh the most likely to cause a problem in your situation. In terms of the risks of attack, is the most likely attacker you're worried about a nation-state? Is it maybe a thief? Is it a scammer who's going to try and trick you with a confusing phishing email? Or maybe a jealous relative or friend? Or is reality that your own future self forgetting things the single biggest risk? You know, the answers to this will be different for everyone, and that's kind of the point. For the content on this channel, it should be pretty obvious that I pretty firmly land on the DIY and open-source side, but I also am very aware that these tools are not going to be appropriate for everyone.

[00:16:58]But make sure you do your own research, work out what the realistic threats are, and choose these tradeoffs with open eyes. Other than that, stay safe.

[00:17:06]Thanks for watching. I hope that was helpful. Hit like if you think that other people would find this video useful, and hit subscribe if you'd like to be kept in the loop about future content I make that helps people stay safe in the crypto space and to recover if they get into trouble. If you have any questions about this video or topic that you'd like me to cover, just leave a reply.