Introduction
Researchers at Ledger's Donjon security team have demonstrated a critical vulnerability affecting Tangem hardware wallet cards. Through a precisely timed laser pulse directed at the card's secure element chip, an attacker can reset the wallet password to a value of their choosing—completely bypassing the original authentication mechanism.
Once the password is reset, the attacker gains full control of the wallet and can transfer all cryptocurrency assets without any trace in traditional security logs. This attack renders backup cards ineffective and requires no prior knowledge of the original password.
While this attack requires specialized equipment and physical access to the device, organizations holding cryptocurrency assets on Tangem wallets must immediately assess their exposure and implement layered defensive controls. The inability to patch affected cards means traditional software remediation is unavailable—defense must focus on physical security, supply chain integrity, and alternative custody solutions.
Technical Analysis
Affected Products and Scope
- Product: Tangem hardware wallet cards (multiple models affected)
- Platform: Physical secure element-based hardware wallet cards
- Attack Vector: Physical fault injection via laser pulse
- Remediation Status: Cards cannot be patched—hardware-level vulnerability
Vulnerability Mechanics
The attack exploits a physical side-channel vulnerability in the secure element chip used by Tangem wallets. By directing a precisely timed laser pulse at specific regions of the chip during the boot or authentication sequence, an attacker can induce a fault that resets the internal password verification mechanism.
Attack Chain:
- Attacker gains physical possession of the Tangem wallet card
- Using specialized equipment (laser setup with precise timing controls), attacker targets the secure element
- Laser pulse induces fault during password verification routine
- Card's password is reset to attacker-controlled value
- Attacker accesses wallet and transfers cryptocurrency assets
Exploitation Requirements:
- Physical access to the wallet card (theft or temporary possession)
- Specialized laser equipment (estimated cost: $10,000-$50,000)
- Technical expertise in fault injection attacks
- Time to position equipment and execute attack (minutes to hours)
Exploitation Status
- PoC Availability: Confirmed by Ledger Donjon research team
- In-the-Wild Exploitation: No confirmed active exploitation at time of disclosure
- Attack Sophistication: High—requires significant technical capability and equipment
- CISA KEV Status: Not currently listed
This represents a high-severity physical access vulnerability for organizations relying on Tangem wallets for cryptocurrency custody. While attack barriers are substantial, the impact is total loss of assets with no forensic trail on the card itself.
Detection & Response
SIGMA Rules
---
title: Potential Hardware Wallet Compromise - USB Device Anomaly
id: 8c7f4e2d-a1b3-4c5d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects connection of USB devices that may indicate unauthorized physical access to systems managing cryptocurrency wallets. Hardware wallet compromise often begins with physical system access.
references:
- https://attack.mitre.org/techniques/T1200/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.initial_access
- attack.t1200
logsource:
category: device_insertion
product: windows
detection:
selection:
DeviceClass|contains: 'USB'
condition: selection
timeframe: 24h
falsepositives:
- Authorized USB device connections
- Routine peripheral usage
level: medium
---
title: Cryptocurrency Wallet Software Execution - Anomalous Time Pattern
id: 2d4e6f8a-0b1c-4d5e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects execution of wallet-related software outside of expected business hours, potentially indicating unauthorized access attempts or compromised credentials. Hardware wallet attacks often involve software components for transaction signing.
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|contains:
- 'tangem'
- 'ledger'
- 'trezor'
- 'metamask'
- 'wallet'
Hour:
- range: 0-5
- range: 18-23
condition: selection
falsepositives:
- Legitimate after-hours cryptocurrency management
- Scheduled automated transactions
level: high
---
title: Cryptocurrency Service Connection - Unusual Endpoint
id: 5a8b2c3d-0e4f-4a5b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects network connections to known cryptocurrency services from systems that do not typically access these endpoints. May indicate wallet compromise or unauthorized asset transfer activity following hardware wallet exploitation.
references:
- https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/07/15
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'api.tangem.com'
- 'blockchain.info'
- 'etherscan.io'
- 'bscscan.com'
- 'polygonscan.com'
filter:
SourceHostname|contains:
- 'workstation-authorized'
- 'trading-desk'
condition: selection and not filter
falsepositives:
- Legitimate cryptocurrency transactions from authorized systems
- Price monitoring and trading activities
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for unauthorized physical access indicators near wallet management systems
// Physical access is a prerequisite for laser-based hardware wallet attacks
let AuthorizedSystems = dynamic(['workstation-trading-01', 'workstation-trading-02', 'laptop-executive-03']);
DeviceProcessEvents
| where FileName in~('explorer.exe', 'cmd.exe', 'powershell.exe')
| where InitiatingProcessFileName in~('explorer.exe', 'cmd.exe', 'powershell.exe')
| where DeviceName !in (AuthorizedSystems)
| where ProcessCommandLine contains 'wallet'
or ProcessCommandLine contains 'crypto'
or ProcessCommandLine contains 'tangem'
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
| summarize Count=count() by DeviceName, bin(Timestamp, 1h)
| where Count > 0
// Monitor for connections to Tangem and cryptocurrency services from non-business devices
// Unauthorized connections may indicate wallet compromise or asset exfiltration
let BusinessHours = range(datetime(2026-07-15T09:00:00), datetime(2026-07-15T17:00:00), 1h);
let CryptoServices = dynamic(['tangem.com', 'blockchain.info', 'etherscan.io', 'bscscan.com', 'polygonscan.com', 'coinbase.com', 'binance.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (CryptoServices)
| where Timestamp !in (BusinessHours)
| project Timestamp, DeviceName, RemoteUrl, RemotePort, LocalPort, InitiatingProcessFileName
| order by Timestamp desc
| summarize Count=count() by DeviceName, RemoteUrl, bin(Timestamp, 6h)
| where Count > 0
// Correlate physical access events with system activity for wallet systems
// Physical access logs via CEF/Syslog ingestion correlated with endpoint activity
let PhysicalAccessEvents = Syslog
| where Facility contains 'access'
or SyslogMessage contains 'door'
or SyslogMessage contains 'badge'
| project Timestamp, Computer, SyslogMessage, SourceAddress;
let WalletSystemActivity = DeviceProcessEvents
| where ProcessCommandLine contains 'wallet'
or ProcessCommandLine contains 'crypto'
or ProcessCommandLine contains 'tangem'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine;
PhysicalAccessEvents
| join kind=inner (
WalletSystemActivity
) on $left.Timestamp == $right.Timestamp
| project Timestamp, Computer, SyslogMessage, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
Velociraptor VQL
-- Hunt for wallet-related software on endpoints
-- Identify systems that may interact with hardware wallets for further monitoring
SELECT Pid, Name, Exe, Username, CreateTime, CommandLine
FROM pslist()
WHERE Name =~ 'wallet'
OR Exe =~ 'tangem'
OR Exe =~ 'ledger'
OR Exe =~ 'trezor'
OR CommandLine =~ 'crypto'
OR CommandLine =~ 'blockchain'
-- Identify USB device connections that may indicate physical access
-- USB device history can reveal unauthorized access to systems managing wallets
SELECT * FROM artifacts.Windows.Sys.TrackingUSB()
WHERE SerialNumber IS NOT NULL
ORDER BY LastConnectionTimestamp DESC
LIMIT 50
-- Search for wallet configuration files and secrets
-- Compromised wallets may leave configuration artifacts on systems
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='*/**/*wallet*', root='C:/Users/')
WHERE Size > 0
AND NOT FullPath =~ 'AppData/Local/Temp'
ORDER BY Mtime DESC
LIMIT 100
Remediation Script (PowerShell)
# Hardware Wallet Security Assessment Script
# Evaluates exposure to Tangem wallet laser attack and provides remediation guidance
# Check for wallet-related software on the system
Write-Host "[+] Checking for cryptocurrency wallet software..." -ForegroundColor Yellow
$walletProcesses = Get-Process | Where-Object { $_.ProcessName -match 'wallet|tangem|ledger|trezor|metamask|crypto' -and $_.Path } | Select-Object ProcessName, Path, StartTime
if ($walletProcesses) {
Write-Host "[!] Wallet-related software detected:" -ForegroundColor Red
$walletProcesses | Format-Table -AutoSize
} else {
Write-Host "[+] No wallet-related processes detected." -ForegroundColor Green
}
# Check for wallet configuration files
Write-Host "[+] Checking for wallet configuration files..." -ForegroundColor Yellow
$walletPaths = @(
"$env:APPDATA\Tangem",
"$env:LOCALAPPDATA\Tangem",
"$env:APPDATA\Ledger",
"$env:APPDATA\Trezor",
"$env:APPDATA\MetaMask"
)
$foundConfigs = @()
foreach ($path in $walletPaths) {
if (Test-Path $path) {
$files = Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length
if ($files) {
$foundConfigs += $files
}
}
}
if ($foundConfigs) {
Write-Host "[!] Wallet configuration files found:" -ForegroundColor Red
$foundConfigs | Format-Table -AutoSize
} else {
Write-Host "[+] No wallet configuration files detected." -ForegroundColor Green
}
# Security recommendations output
Write-Host "`n[+] SECURITY RECOMMENDATIONS FOR TANGEM WALLET LASER ATTACK MITIGATION:" -ForegroundColor Cyan
Write-Host "1. IMMEDIATE ASSESSMENT:" -ForegroundColor White
Write-Host " - Inventory all Tangem wallet cards in custody" -ForegroundColor Gray
Write-Host " - Verify physical location and custody chain for each card" -ForegroundColor Gray
Write-Host " - Audit recent wallet activity on blockchain for unauthorized transactions" -ForegroundColor Gray
Write-Host "`n2. PHYSICAL SECURITY CONTROLS:" -ForegroundColor White
Write-Host " - Store Tangem cards in rated physical safes when not in use" -ForegroundColor Gray
Write-Host " - Implement access logging for all wallet storage locations" -ForegroundColor Gray
Write-Host " - Require multi-person authorization for wallet access" -ForegroundColor Gray
Write-Host " - Consider tamper-evident seals on wallet storage containers" -ForegroundColor Gray
Write-Host "`n3. ALTERNATIVE CUSTODY SOLUTIONS:" -ForegroundColor White
Write-Host " - Evaluate migration to patchable hardware wallets (e.g., Ledger, Trezor)" -ForegroundColor Gray
Write-Host " - Consider multi-signature wallets requiring multiple devices" -ForegroundColor Gray
Write-Host " - Evaluate institutional custody services with insurance" -ForegroundColor Gray
Write-Host "`n4. MONITORING AND DETECTION:" -ForegroundColor White
Write-Host " - Implement blockchain transaction monitoring with alerting" -ForegroundColor Gray
Write-Host " - Regular balance verification on all wallets" -ForegroundColor Gray
Write-Host " - Review physical access logs for wallet storage areas" -ForegroundColor Gray
Write-Host "`n5. CRITICAL: Tangem cards CANNOT be patched. Hardware replacement is required."
# Generate assessment report
$reportPath = "$env:TEMP\WalletSecurityAssessment_$(Get-Date -Format 'yyyyMMdd').txt"
"
Hardware Wallet Security Assessment Report
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
System: $env:COMPUTERNAME
User: $env:USERNAME
Wallet Processes Detected: $($walletProcesses.Count)
Configuration Files Found: $($foundConfigs.Count)
STATUS: IMMEDIATE REVIEW REQUIRED if any wallet software or configs found.
Follow the security recommendations above to mitigate Tangem laser attack exposure. " | Out-File -FilePath $reportPath -Encoding UTF8
Write-Host "`n[+] Assessment report saved to: $reportPath" -ForegroundColor Green
Remediation
Immediate Actions Required
1. Exposure Assessment (Immediate - Within 24 Hours)
- Complete inventory of all Tangem wallet cards in organizational custody
- Verify physical possession and custody chain for each wallet
- Conduct blockchain transaction audit for all affected wallets dating back 90 days
- Check for any unauthorized transfers or anomalous transaction patterns
2. Physical Security Hardening (Immediate - Within 48 Hours)
- Move all Tangem wallets to rated physical safes (minimum UL TL-15 or equivalent)
- Implement multi-person control for wallet access (minimum two authorized personnel required)
- Install tamper-evident seals on wallet storage containers; document seal numbers
- Review and audit physical access logs for wallet storage areas
- Consider 24/7 video surveillance for wallet storage locations
3. Migration Planning (Within 1 Week)
- Initiate procurement process for alternative hardware wallets with patchable firmware
- Recommended alternatives: Ledger Nano X/S, Trezor Model T, KeepKey
- Develop migration protocol including key generation, backup, and transfer procedures
- Budget for wallet replacement: approximately $50-150 per card for enterprise-grade alternatives
Workarounds and Compensating Controls
Since Tangem cards cannot be patched, the following compensating controls must be implemented immediately for any wallets that cannot be immediately replaced:
| Control | Implementation Guidance | Effectiveness |
|---|---|---|
| Physical Isolation | Store in access-controlled safe with badge reader logging | High - prevents laser attack access |
| Multi-Signature Requirement | Require at least 2 of 3 signatures for transactions | High - single wallet compromise insufficient |
| Transaction Limits | Implement daily/weekly withdrawal limits on wallets | Medium - limits exposure if compromised |
| Frequent Balance Checks | Automated blockchain monitoring with immediate alerting | Medium - reduces detection window |
| Tamper-Evident Packaging | Sealed containers with documented serial numbers | Low-Medium - detects tampering after fact |
Vendor Communications
- Official Advisory: Monitor Tangem's official security page for updates and guidance
- Support Contact: Contact Tangem enterprise support for bulk replacement programs
- Third-Party Assessment: Engage independent hardware security labs for physical security evaluation if in-house expertise is unavailable
Long-Term Strategy
Organizations with significant cryptocurrency holdings should consider transitioning to institutional-grade custody solutions:
- Multi-party computation (MPC) wallets: No single point of failure, distributed key generation
- Hardware Security Module (HSM) backed solutions: FIPS 140-2 Level 3 or higher certified hardware
- Institutional custody providers: Fireblocks, Coinbase Custody, BitGo (with insurance coverage)
- Air-gapped cold storage: Systems with no network connectivity, physical transaction signing
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.