Ledger Donjon revealed a laser fault-injection attack that resets a Tangem hardware wallet card’s password without the original password or a backup card this week. The flaw affects every Tangem card in circulation and cannot be patched.
Quick Summary – TLDR:
- Ledger Donjon disclosed a laser fault-injection attack that resets a Tangem card’s password without the original password or a backup card.
- The vulnerability affects every Tangem card currently in circulation and cannot be patched because the cards have no firmware update mechanism.
- Ledger Donjon’s laboratory setup cost about $250,000 and required specialized equipment, hardware and software security expertise, and physical access to the card.
- Ledger Donjon achieved a 100% success rate once the fault parameters were known, with each card taking about 2 hours to compromise.
- The attack “isn’t scalable,” and no known real-world losses have come from laser fault-injection attacks on hardware wallets, per Tangem.
What Happened?
Tangem sells its wallet as a credit-card-shaped cold-storage device built around a Samsung S3D232A secure element certified to EAL6+, a high assurance level under the Common Criteria security-certification framework. The chip handles key generation, storage, and transaction signing, and the master key never leaves the card. Physical possession of the card plus the correct password are the two factors that gate access to the funds it holds, according to Ledger Donjon.
Ledger Donjon, the security research team at crypto wallet maker Ledger, said it found a way around that password requirement using nothing but a precisely timed pulse of laser light. Once the password is reset, the attacker has full control over the wallet and can sign arbitrary transactions to drain all funds tied to the card.
What this means for users? There’s no patch, but the attack is physical and invasive so it can’t be done covertly and the card returned intact. Ledger Donjon wrote in its report.
Our comment on Ledger Donjon’s latest article. It describes a laser fault injection (LFI), a physical, lab-only attack technique that applies to secure elements in general, not something unique to Tangem.
— Tangem (@Tangem) July 9, 2026
It’s also worth noting that while Ledger Donjon presents itself as an…
How the Laser Attack Works?
Tangem cards ship in sets of two or three that share one master key, and a recovery mechanism enabled by default lets an owner reset a lost password by holding two linked cards together during a challenge-response exchange. That legitimate flow triggers a single conditional check inside the card’s SetPin command that asks whether the card is in recovery state. Ledger Donjon aimed a single nanosecond laser pulse at a precise location on the secure element’s die to flip that one check, so the card accepted a new password without the legitimate recovery steps ever running.
Getting there wasn’t cheap or quick. The researchers cut open a card’s plastic body, exposed the silicon die, and wired the antenna into a custom evaluation board to get clean enough signals for laser targeting, work that required roughly $250,000 in specialized laboratory equipment plus advanced hardware and software security expertise.
Disabling the card’s recovery setting does not close the hole, since the branching logic that checks recovery authorization stays present and reachable regardless of that setting. Once Ledger Donjon mapped the right timing and laser parameters for the card model, the exploit worked on every attempt, with each card taking about 2 hours to compromise, a reproducibility rate rarely seen in physical hardware exploits.
Tangem Pushes Back
Tangem disputed the practical danger. The company shared a statement and said that the attack isn’t scalable and would require a highly skilled lab operator willing to destroy an unspecified number of cards to characterize the chip. Tangem said the disclosure doesn’t change its view that the wallet is fully safe against real-world attack scenarios.
The company pointed to a different threat model. No known real-world losses have come from laser fault-injection attacks on hardware wallets, while users lose funds far more often through seed-phrase mistakes, malicious apps, scam contracts, and bad clicks. Ledger Donjon’s own report does not dispute that framing. It states the only real risk is a lost or stolen card, and that if a card stays in the owner’s possession, the attack it describes cannot be performed.
What’s Next?
Ledger Donjon recommends future card designs add redundant state checks at multiple points in the execution flow, fault-resistant boolean encoding, and unconditional validation of the recovery setting inside the SetPin handler.
None of that reaches cards already in the field, since the fix path runs through a redesigned chip generation rather than a security update. Owners can’t patch the flaw, but the practical exposure narrows to a lost or stolen card, so keeping physical custody and reporting a missing card immediately remain the concrete steps worth taking.
SQ Magazine’s Takeaway
This case is a reminder that an EAL6+ certification protects the chip, not the software written for it. Ledger Donjon needed one flawed conditional check in Tangem’s closed-source firmware to unlock full control of a card, and that single point of failure is exactly the class of bug its own recommended fix, checking recovery authorization at several independent points instead of one, is designed to close. Tangem’s rebuttal holds up against the numbers Ledger Donjon itself published, and it correctly names the realistic threat for most owners as a lost or stolen card rather than a remote hack.
The roughly five months between the February 10, 2026 private notification and this week’s public report gave Tangem time to prepare a response rather than a fix, since no fix is possible without redesigning the chip. That gap fits standard coordinated-disclosure norms, but it also means every card already in circulation stays exposed indefinitely if it’s ever lost. For anyone holding a Tangem card, physical possession is still the whole game: treating a missing card exactly like a missing wallet, and moving funds off it fast, matters more than waiting on a patch that isn’t coming.