• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Sq Magazine LogoSQ Magazine

Smarter Insights for a Fast-Moving Digital World

  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Sq Magazine Logo
  • Latest News
  • Statistics
  • About
  • Contact
Subscribe
Home » Cybersecurity

Tangem Wallet Cards Vulnerable to Laser Fault Attack

Published on: July 10, 2026
Sofia Ramirez
Written By
Sofia Ramirez
Sofia Ramirez
Senior Tech Writer • 486 Articles
Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps reader...
LATEST POSTS:
Palo Alto Networks Patches 13 PAN-OS Vulnerabilities
AI and Mental Health: Recent Statistics and Research Findings
Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants
Barry Elad
Reviewed By
Barry Elad
Barry Elad
Founder & Senior Journalist • 748 Articles
Barry Elad is a seasoned journalist and analyst specializing in finance, technology, AI, and founder of SQ Magazine. He explores the world o...
LATEST POSTS:
Anthropic Launches Claude Reflect Beta to Track AI Habits
xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class
Best Generative AI Platforms 2026: Best Tools Compared
Tangem Wallet Cards Vulnerable To Laser Fault Attack
As Featured In
The New York Times LogoForbes LogoWired LogoDeloitte LogoResearch.com Logo
Share on LinkedIn ChatGPT Perplexity Share on X Share on Facebook

Ledger Donjon revealed a laser fault-injection attack that resets a Tangem hardware wallet card’s password without the original password or a backup card this week. The flaw affects every Tangem card in circulation and cannot be patched.

Quick Summary – TLDR:

  • Ledger Donjon disclosed a laser fault-injection attack that resets a Tangem card’s password without the original password or a backup card.
  • The vulnerability affects every Tangem card currently in circulation and cannot be patched because the cards have no firmware update mechanism.
  • Ledger Donjon’s laboratory setup cost about $250,000 and required specialized equipment, hardware and software security expertise, and physical access to the card.
  • Ledger Donjon achieved a 100% success rate once the fault parameters were known, with each card taking about 2 hours to compromise.
  • The attack “isn’t scalable,” and no known real-world losses have come from laser fault-injection attacks on hardware wallets, per Tangem.

What Happened?

Tangem sells its wallet as a credit-card-shaped cold-storage device built around a Samsung S3D232A secure element certified to EAL6+, a high assurance level under the Common Criteria security-certification framework. The chip handles key generation, storage, and transaction signing, and the master key never leaves the card. Physical possession of the card plus the correct password are the two factors that gate access to the funds it holds, according to Ledger Donjon.

Ledger Donjon, the security research team at crypto wallet maker Ledger, said it found a way around that password requirement using nothing but a precisely timed pulse of laser light. Once the password is reset, the attacker has full control over the wallet and can sign arbitrary transactions to drain all funds tied to the card.

What this means for users? There’s no patch, but the attack is physical and invasive so it can’t be done covertly and the card returned intact. Ledger Donjon wrote in its report.

Our comment on Ledger Donjon’s latest article. It describes a laser fault injection (LFI), a physical, lab-only attack technique that applies to secure elements in general, not something unique to Tangem.

It’s also worth noting that while Ledger Donjon presents itself as an…

— Tangem (@Tangem) July 9, 2026

How the Laser Attack Works?

Tangem cards ship in sets of two or three that share one master key, and a recovery mechanism enabled by default lets an owner reset a lost password by holding two linked cards together during a challenge-response exchange. That legitimate flow triggers a single conditional check inside the card’s SetPin command that asks whether the card is in recovery state. Ledger Donjon aimed a single nanosecond laser pulse at a precise location on the secure element’s die to flip that one check, so the card accepted a new password without the legitimate recovery steps ever running.

Getting there wasn’t cheap or quick. The researchers cut open a card’s plastic body, exposed the silicon die, and wired the antenna into a custom evaluation board to get clean enough signals for laser targeting, work that required roughly $250,000 in specialized laboratory equipment plus advanced hardware and software security expertise.

Disabling the card’s recovery setting does not close the hole, since the branching logic that checks recovery authorization stays present and reachable regardless of that setting. Once Ledger Donjon mapped the right timing and laser parameters for the card model, the exploit worked on every attempt, with each card taking about 2 hours to compromise, a reproducibility rate rarely seen in physical hardware exploits.

Tangem Pushes Back

Tangem disputed the practical danger. The company shared a statement and said that the attack isn’t scalable and would require a highly skilled lab operator willing to destroy an unspecified number of cards to characterize the chip. Tangem said the disclosure doesn’t change its view that the wallet is fully safe against real-world attack scenarios.

The company pointed to a different threat model. No known real-world losses have come from laser fault-injection attacks on hardware wallets, while users lose funds far more often through seed-phrase mistakes, malicious apps, scam contracts, and bad clicks. Ledger Donjon’s own report does not dispute that framing. It states the only real risk is a lost or stolen card, and that if a card stays in the owner’s possession, the attack it describes cannot be performed.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

What’s Next?

Ledger Donjon recommends future card designs add redundant state checks at multiple points in the execution flow, fault-resistant boolean encoding, and unconditional validation of the recovery setting inside the SetPin handler.

None of that reaches cards already in the field, since the fix path runs through a redesigned chip generation rather than a security update. Owners can’t patch the flaw, but the practical exposure narrows to a lost or stolen card, so keeping physical custody and reporting a missing card immediately remain the concrete steps worth taking.

SQ Magazine’s Takeaway

This case is a reminder that an EAL6+ certification protects the chip, not the software written for it. Ledger Donjon needed one flawed conditional check in Tangem’s closed-source firmware to unlock full control of a card, and that single point of failure is exactly the class of bug its own recommended fix, checking recovery authorization at several independent points instead of one, is designed to close. Tangem’s rebuttal holds up against the numbers Ledger Donjon itself published, and it correctly names the realistic threat for most owners as a lost or stolen card rather than a remote hack.

The roughly five months between the February 10, 2026 private notification and this week’s public report gave Tangem time to prepare a response rather than a fix, since no fix is possible without redesigning the chip. That gap fits standard coordinated-disclosure norms, but it also means every card already in circulation stays exposed indefinitely if it’s ever lost. For anyone holding a Tangem card, physical possession is still the whole game: treating a missing card exactly like a missing wallet, and moving funds off it fast, matters more than waiting on a patch that isn’t coming.

This article has been reviewed and fact-checked by Barry Elad. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Share ChatGPT Perplexity

References

  • Ledger Donjon: Bypassing Tangem Card Security with a Laser Attack
  • Bitcoin Foundation: Tangem Bitcoin Wallet Cards Face Physical Attack Risk, Ledger Says
  • Our Comment on Ledger Donjon’s Latest Article | Tangem
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer


Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Technology

Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks

Microsoft Patches Rogueplanet Zero Day In Defender
Cybersecurity

Microsoft Patches RoguePlanet Zero-Day in Defender

Openai Launches Chatgpt Work With Gpt 5 6 Agents
Artificial Intelligence

OpenAI Launches ChatGPT Work With GPT-5.6 Agents

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment Cancel reply

Primary Sidebar

Connect With Us

facebook x linkedin google-news telegram pinterest whatsapp email
google-preferred-source-badge Add as a preferred source on Google

You Should Also Read

Palo Alto Networks Patches 13 PAN-OS Vulnerabilities
Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants
AssuranceAmerica Data Breach Exposes 6.9 Million Drivers

Table of Contents

  • Quick Summary – TLDR:
  • What Happened?
  • How the Laser Attack Works?
  • Tangem Pushes Back
  • What’s Next?
  • SQ Magazine’s Takeaway
Connect on Telegram

Footer

SQ Magazine Logo

Smarter Insights for a Fast-Moving Digital World

Connect With Us

Follow Us on Google News

Editorial & Trust

  • About
  • Publishing Principles
  • Fact-Check Policy
  • Corrections Policy
  • Ethics Policy
  • Disclaimer

Worth Checking

  • Social Media Attention Span Stats
  • Gen Z Social Media Statistics
  • TikTok vs. Instagram Statistics
  • LLM Hallucination Statistics
  • Spotify User Statistics
  • Apple Customer Loyalty Statistics
Contact Us
13570 Grove Dr #189,
Maple Grove, MN 55311,
United States
10 a.m. to 6 p.m. | Every day

Copyright © 2022–2026 SQ Magazine. All Rights Reserved. Powered by the Neural Stack.

  • Privacy Policy
  • Terms
  • Accessibility Statement
Company
  • About Us
  • Our Team
  • Our Mission
  • Core Values
Discover
  • Brand Assets
    Brand Assets
  • Stats Methodology
    Stats Research Process
  • Glossary
    Glossary
Categories
  • Internet
  • Technology
  • Artificial Intelligence
  • Gaming
  • Cybersecurity
Internet
How Many People Work At Amazon
How Many People Work At Amazon 2026: Headcount, Layoffs, Productivity
Hulu Statistics
Hulu Statistics 2026: Subscribers, Revenue and Market Share
Spotify vs Apple Music Statistics
Spotify vs Apple Music Statistics 2026: Subscribers, Revenue, Market Share
Time Spent on TikTok Statistics
Time Spent on TikTok Statistics 2026: Daily Minutes by Age
Google Workspace Statistics
Google Workspace Statistics 2026: Users, Market Share and AI
YouTube vs TikTok Statistics
YouTube vs TikTok Statistics 2026: Users, Revenue, Creator Economy
Technology
Google Cloud Platform Statistics
Google Cloud Platform Statistics 2026: Market Growth
Asana Statistics
Asana Statistics 2026: Revenue, Customers, AI ARR and Market Share
AWS Statistics
AWS Statistics 2026: Revenue, Market Share and AI Growth
Adobe Creative Cloud Statistics
Adobe Creative Cloud Statistics 2026: Subscribers, Revenue and Market Share
Adobe Statistics
Adobe Statistics 2026: Revenue, ARR, and Workforce Data
Employee Productivity Statistics
Employee Productivity Statistics 2026: Engagement, Costs & Trends
Artificial Intelligence
Grammarly AI Statistics
Grammarly AI Statistics 2026: Users, Revenue, Funding, Rebrand
Copilot Statistics
Copilot Statistics 2026: Users, Adoption, Revenue and Market Share
AI Image Generation Statistics
AI Image Generation Statistics 2026: Market Size, Adoption & Risks
Machine Learning Adoption
Machine Learning Adoption in 2026: What Businesses Need to Know
AI Influencer Marketing Statistics
AI Influencer Marketing Statistics: Market Size and Engagement
AI Market Statistics
AI Market Statistics 2026: Size, Growth & Investment
Gaming
Online Gambling Regulations Statistics
Online Gambling Regulations Statistics 2026: Global Compliance and Enforcement Data
Fantasy Sports Statistics
Fantasy Sports Statistics 2026: Users, Revenue & Trends
Apex Legends Statistics
Apex Legends Statistics 2026: Players, Revenue, and Esports
Fortnite Statistics
Fortnite Statistics 2026: Players, Revenue, Esports, and Engagement
Gamers Statistics
Gamers Statistics 2026: Players, Habits & Global Data
Minecraft Statistics
Minecraft Statistics 2026: 300 Million Copies Sold & 212M Monthly Players
Cybersecurity
Password Statistics
Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point
Identity Theft Statistics
Identity Theft Statistics 2026: Key Fraud Data and Trends
CVE Statistics
CVE Statistics 2026: Severity Distribution and Top Affected Vendors
Dark Web AI Tool Marketplace Statistics
Dark Web AI Tool Marketplace Statistics 2026: Explosive Market Growth
API Security Breach Statistics
API Security Breach Statistics 2026: Hidden Threats
AI Voice Cloning Fraud Statistics
AI Voice Cloning Fraud Statistics 2026: Alarming Trends You Must Know Now
Categories
  • Cybersecurity
  • Artificial Intelligence
  • Internet
  • Technology
  • Gaming
Cybersecurity
Tangem Wallet Cards Vulnerable To Laser Fault Attack
Tangem Wallet Cards Vulnerable to Laser Fault Attack
Microsoft Patches Rogueplanet Zero Day In Defender
Microsoft Patches RoguePlanet Zero-Day in Defender
Palo Alto Networks Patches 13 Pan Os Vulnerabilities
Palo Alto Networks Patches 13 PAN-OS Vulnerabilities
Ghostapproval Flaw In 6 Ai Coding Assistants Found
Wiz Finds GhostApproval Flaw in 6 AI Coding Assistants
Assuranceamerica Data Breach Exposes 6 9 Million Drivers
AssuranceAmerica Data Breach Exposes 6.9 Million Drivers
Accenture Confirms Breach After Hacker Lists Stolen Data
Accenture Confirms Breach After Hacker Lists Stolen Data
Artificial Intelligence
Openai Launches Chatgpt Work With Gpt 5 6 Agents
OpenAI Launches ChatGPT Work With GPT-5.6 Agents
Openai Shuts Down Standalone Atlas Browser
OpenAI Shuts Down Standalone Atlas Browser
Meta Launches Muse Spark 1 1 Ai Coding Model
Meta Launches Muse Spark 1.1 to Challenge Anthropic, OpenAI
Anthropic Launches Claude Reflect Beta To Track Ai Habits
Anthropic Launches Claude Reflect Beta to Track AI Habits
Xai Launches Grok 4 5
xAI Launches Grok 4.5, Elon Musk Calls It Opus-Class
Openai Launches Gpt Live Full Duplex Voice Models
OpenAI Launches GPT-Live Full-Duplex Voice Models
Internet
Whatsapp Launches Username Reservation Feature
WhatsApp Opens Username Reservations for Its 3 Billion Users
Chrome 149 Update Fixes Serious Vulnerabilities
Google Chrome 149 Fixes 18 Serious Security Flaws
Meta Hands Whatsapp Reins To Cred Founder Kunal Shah
Meta Hands WhatsApp Reins to CRED Founder Kunal Shah
Major X Outage Disrupts Users Worldwide
Major X Outage Disrupts Users Worldwide, Service Restored
Meta Adds 13 Plus Age Verification For Teen Safety
Meta Adds 13+ Content Settings and AI Age Checks for Teens
Telegram Restricted In India Temporarily
Telegram Restricted in India as NEET Fraud Crackdown Grows
Technology
Apple S Foldable Iphone Ultra Battery Capacity Allegedly Leaks
Apple’s Foldable iPhone Ultra Battery Capacity Allegedly Leaks
Microsoft Lays Off 4800 Employees
Microsoft Cuts 4,800 Jobs, Resets Xbox Strategy
Chrome Update Fixes 382 Vulnerabilities
Chrome 150 Patches 382 Security Fixes, 15 Critical
Apple Leak Reveals Six New Iphones For 2027
Massive Apple Leak Reveals Six New iPhones for 2027
Google Finance Comes Out Of Beta With Android App
Google Finance Gets Major AI Upgrade and New Android App
Windows Recycle Bin Bug Confirmed After June Security Update
Windows Recycle Bin Bug Confirmed After June Security Update
Gaming
Gta Vi Official Cover Art
GTA 6 Pre-Orders Start June 25, New Cover Art Unveiled
Epic Games Teases Unreal Engine 6 For Rocket League
Epic Games Teases Unreal Engine 6 for Rocket League
Stardew Valley Launched For Nintendo Switch 2 Edition
Stardew Valley Switch 2 Edition Arrives with Online Co-op
Hogwarts Legacy Game Crosses 40m Downloads
Hogwarts Legacy Crosses 40M Sales, Beating Industry Giants
Pubg Black Budget Closed Alpha Launched
PUBG: Black Budget Launches Closed Alpha Test With a Bold PvPvE Twist
Counter Strike 2 Skin Market Crashes After Valve Update
Counter-Strike 2’s $5.9 Billion Skin Economy Just Got Shattered
Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Newsletter

Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.