Ledger Donjon, the security research division of Ledger, has disclosed a vulnerability in Tangem hardware wallets that allows an attacker to reset a card's password through a laser fault injection attack. Tangem responded by saying the risk to everyday users is "virtually non-existent."
According to Ledger Donjon blog, the flaw affects all Tangem cards released to date and cannot be fixed through a software update because the devices do not support firmware upgrades.

Tangem card password reset attack. Source: Ledger Donjon.
To carry out the attack, Ledger researchers required physical access to the card, laser fault-injection equipment worth roughly $250,000, side-channel analysis tools, and advanced expertise in hardware security.
Attack grants full control over the wallet
According to the researchers, they removed the chip's protective layer and connected the card to specialized laboratory equipment. Using a nanosecond laser pulse, they disrupted the recovery mode verification process.That allowed them to bypass the firmware's recovery-state check and set a new password without knowing the original PIN or using a backup card.
Once the password is reset, an attacker can authorize transactions and gain full control over the crypto assets stored on the wallet.
Ledger Donjon said it successfully reproduced the attack on multiple Tangem cards, with each attempt taking approximately two hours to complete.
Tangem says risk to users is minimal
Tangem argued that the practical risk of the attack is "virtually non-existent." The company noted that exploitation requires laboratory equipment costing hundreds of thousands of dollars, physical possession of the card, and highly specialized expertise.Tangem also pointed out that Donjon is part of Ledger, one of its largest competitors in the hardware wallet market, and said that fact should be considered when evaluating the published findings.
The company added that, given sufficient time, resources, and physical access to a device, similar research could potentially be conducted against virtually any secure chip.
Earlier, security firm Coinspect warned about the Ill Bloom vulnerability affecting thousands of cryptocurrency wallets across the Bitcoin, Ethereum, Polygon, Rootstock, Tron, and Solana networks. Researchers estimate that attackers have stolen at least $5 million since late May by exploiting weak seed phrase generation in certain software wallets.
Earlier, Ledger introduced an updated Ledger Wallet application that combines buying, selling, swapping, and staking digital assets within a single interface.
Latest Crypto News
- Forex
- Crypto