Ledger Extracted Crypto Seeds From 6 Wallets in 45 Seconds

Ledger's Donjon team compromised Trust Wallet, Base, Kraken Wallet, Rabby, Tangem's Mobile Wallet, and Phantom on a test device running MediaTek's Dimensity 7300 chipset. Ledger tested the attack in December 2025 on Nothing's CMF Phone 1, which uses Trustonic's Trusted Execution Environment — a combination running on 25% of Android devices globally. The exploit bypassed security protections without booting into Android, automatically recovering the phone's PIN, decrypting storage, and pulling seed phrases from all six wallets in 45 seconds.

Ledger Chief Technology Officer Charles Guillemet said smartphones aren't built for security and that user data including pins and seeds can be extracted in under a minute even when devices are powered off. He explained that general-purpose chips prioritize convenience while dedicated Secure Elements isolate secrets from the rest of the system, protecting them even under physical attack. Ledger has flagged smartphone security risks since June 2020, when Guillemet first warned that both Android and iPhone devices make it very difficult to run secure applications.

MediaTek issued a patch on January 5, 2025. Ledger told Cointelegraph they don't anticipate this to be an ongoing issue now that the fix is live. The vulnerability affected approximately 36 million people managing digital assets on phones as of early 2025.

Ledger's Donjon team follows a 90-day responsible disclosure policy, auditing third-party hardware to let vendors patch flaws before public exploits emerge. MediaTek also patched separate boot chain vulnerabilities in its MT6899 and MT6989 chipsets through its February 2026 Product Security Bulletin. Check Point researchers previously identified MediaTek Trusted Execution Environment flaws in 2022 that allowed attackers to downgrade trusted apps on Xiaomi devices and extract private keys for Tencent Soter payments.