Back to Intelligence

Tangem Hardware Wallet Laser Attack: Physical Security Defense and Mitigation Strategies

SA
Security Arsenal Team
July 10, 2026
10 min read

Introduction

Researchers at Ledger's Donjon security team have demonstrated a critical vulnerability affecting Tangem hardware wallet cards. Through a precisely timed laser pulse directed at the card's secure element chip, an attacker can reset the wallet password to a value of their choosing—completely bypassing the original authentication mechanism.

Once the password is reset, the attacker gains full control of the wallet and can transfer all cryptocurrency assets without any trace in traditional security logs. This attack renders backup cards ineffective and requires no prior knowledge of the original password.

While this attack requires specialized equipment and physical access to the device, organizations holding cryptocurrency assets on Tangem wallets must immediately assess their exposure and implement layered defensive controls. The inability to patch affected cards means traditional software remediation is unavailable—defense must focus on physical security, supply chain integrity, and alternative custody solutions.

Technical Analysis

Affected Products and Scope

  • Product: Tangem hardware wallet cards (multiple models affected)
  • Platform: Physical secure element-based hardware wallet cards
  • Attack Vector: Physical fault injection via laser pulse
  • Remediation Status: Cards cannot be patched—hardware-level vulnerability

Vulnerability Mechanics

The attack exploits a physical side-channel vulnerability in the secure element chip used by Tangem wallets. By directing a precisely timed laser pulse at specific regions of the chip during the boot or authentication sequence, an attacker can induce a fault that resets the internal password verification mechanism.

Attack Chain:

  1. Attacker gains physical possession of the Tangem wallet card
  2. Using specialized equipment (laser setup with precise timing controls), attacker targets the secure element
  3. Laser pulse induces fault during password verification routine
  4. Card's password is reset to attacker-controlled value
  5. Attacker accesses wallet and transfers cryptocurrency assets

Exploitation Requirements:

  • Physical access to the wallet card (theft or temporary possession)
  • Specialized laser equipment (estimated cost: $10,000-$50,000)
  • Technical expertise in fault injection attacks
  • Time to position equipment and execute attack (minutes to hours)

Exploitation Status

  • PoC Availability: Confirmed by Ledger Donjon research team
  • In-the-Wild Exploitation: No confirmed active exploitation at time of disclosure
  • Attack Sophistication: High—requires significant technical capability and equipment
  • CISA KEV Status: Not currently listed

This represents a high-severity physical access vulnerability for organizations relying on Tangem wallets for cryptocurrency custody. While attack barriers are substantial, the impact is total loss of assets with no forensic trail on the card itself.

Detection & Response

SIGMA Rules

YAML
---
title: Potential Hardware Wallet Compromise - USB Device Anomaly
id: 8c7f4e2d-a1b3-4c5d-9e0f-1a2b3c4d5e6f
status: experimental
description: Detects connection of USB devices that may indicate unauthorized physical access to systems managing cryptocurrency wallets. Hardware wallet compromise often begins with physical system access.
references:
  - https://attack.mitre.org/techniques/T1200/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.initial_access
  - attack.t1200
logsource:
  category: device_insertion
  product: windows
detection:
  selection:
    DeviceClass|contains: 'USB'
  condition: selection
timeframe: 24h
falsepositives:
  - Authorized USB device connections
  - Routine peripheral usage
level: medium
---
title: Cryptocurrency Wallet Software Execution - Anomalous Time Pattern
id: 2d4e6f8a-0b1c-4d5e-9f0a-1b2c3d4e5f6a
status: experimental
description: Detects execution of wallet-related software outside of expected business hours, potentially indicating unauthorized access attempts or compromised credentials. Hardware wallet attacks often involve software components for transaction signing.
references:
  - https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|contains:
      - 'tangem'
      - 'ledger'
      - 'trezor'
      - 'metamask'
      - 'wallet'
    Hour:
      - range: 0-5
      - range: 18-23
  condition: selection
falsepositives:
  - Legitimate after-hours cryptocurrency management
  - Scheduled automated transactions
level: high
---
title: Cryptocurrency Service Connection - Unusual Endpoint
id: 5a8b2c3d-0e4f-4a5b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects network connections to known cryptocurrency services from systems that do not typically access these endpoints. May indicate wallet compromise or unauthorized asset transfer activity following hardware wallet exploitation.
references:
  - https://attack.mitre.org/techniques/T1071/
author: Security Arsenal
date: 2026/07/15
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationHostname|contains:
      - 'api.tangem.com'
      - 'blockchain.info'
      - 'etherscan.io'
      - 'bscscan.com'
      - 'polygonscan.com'
  filter:
    SourceHostname|contains:
      - 'workstation-authorized'
      - 'trading-desk'
  condition: selection and not filter
falsepositives:
  - Legitimate cryptocurrency transactions from authorized systems
  - Price monitoring and trading activities
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for unauthorized physical access indicators near wallet management systems
// Physical access is a prerequisite for laser-based hardware wallet attacks
let AuthorizedSystems = dynamic(['workstation-trading-01', 'workstation-trading-02', 'laptop-executive-03']);
DeviceProcessEvents
| where FileName in~('explorer.exe', 'cmd.exe', 'powershell.exe')
| where InitiatingProcessFileName in~('explorer.exe', 'cmd.exe', 'powershell.exe')
| where DeviceName !in (AuthorizedSystems)
| where ProcessCommandLine contains 'wallet' 
   or ProcessCommandLine contains 'crypto'
   or ProcessCommandLine contains 'tangem'
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc
| summarize Count=count() by DeviceName, bin(Timestamp, 1h)
| where Count > 0


// Monitor for connections to Tangem and cryptocurrency services from non-business devices
// Unauthorized connections may indicate wallet compromise or asset exfiltration
let BusinessHours = range(datetime(2026-07-15T09:00:00), datetime(2026-07-15T17:00:00), 1h);
let CryptoServices = dynamic(['tangem.com', 'blockchain.info', 'etherscan.io', 'bscscan.com', 'polygonscan.com', 'coinbase.com', 'binance.com']);
DeviceNetworkEvents
| where RemoteUrl has_any (CryptoServices)
| where Timestamp !in (BusinessHours)
| project Timestamp, DeviceName, RemoteUrl, RemotePort, LocalPort, InitiatingProcessFileName
| order by Timestamp desc
| summarize Count=count() by DeviceName, RemoteUrl, bin(Timestamp, 6h)
| where Count > 0


// Correlate physical access events with system activity for wallet systems
// Physical access logs via CEF/Syslog ingestion correlated with endpoint activity
let PhysicalAccessEvents = Syslog
| where Facility contains 'access'
  or SyslogMessage contains 'door'
  or SyslogMessage contains 'badge'
| project Timestamp, Computer, SyslogMessage, SourceAddress;
let WalletSystemActivity = DeviceProcessEvents
| where ProcessCommandLine contains 'wallet'
   or ProcessCommandLine contains 'crypto'
   or ProcessCommandLine contains 'tangem'
| project Timestamp, DeviceName, AccountName, ProcessCommandLine;
PhysicalAccessEvents
| join kind=inner (
  WalletSystemActivity
) on $left.Timestamp == $right.Timestamp
| project Timestamp, Computer, SyslogMessage, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for wallet-related software on endpoints
-- Identify systems that may interact with hardware wallets for further monitoring
SELECT Pid, Name, Exe, Username, CreateTime, CommandLine
FROM pslist()
WHERE Name =~ 'wallet'
   OR Exe =~ 'tangem'
   OR Exe =~ 'ledger'
   OR Exe =~ 'trezor'
   OR CommandLine =~ 'crypto'
   OR CommandLine =~ 'blockchain'


-- Identify USB device connections that may indicate physical access
-- USB device history can reveal unauthorized access to systems managing wallets
SELECT * FROM artifacts.Windows.Sys.TrackingUSB()
WHERE SerialNumber IS NOT NULL
ORDER BY LastConnectionTimestamp DESC
LIMIT 50


-- Search for wallet configuration files and secrets
-- Compromised wallets may leave configuration artifacts on systems
SELECT FullPath, Size, Mtime, Atime, Btime, Mode
FROM glob(globs='*/**/*wallet*', root='C:/Users/')
WHERE Size > 0
   AND NOT FullPath =~ 'AppData/Local/Temp'
ORDER BY Mtime DESC
LIMIT 100

Remediation Script (PowerShell)

PowerShell
# Hardware Wallet Security Assessment Script
# Evaluates exposure to Tangem wallet laser attack and provides remediation guidance

# Check for wallet-related software on the system
Write-Host "[+] Checking for cryptocurrency wallet software..." -ForegroundColor Yellow
$walletProcesses = Get-Process | Where-Object { $_.ProcessName -match 'wallet|tangem|ledger|trezor|metamask|crypto' -and $_.Path } | Select-Object ProcessName, Path, StartTime

if ($walletProcesses) {
    Write-Host "[!] Wallet-related software detected:" -ForegroundColor Red
    $walletProcesses | Format-Table -AutoSize
} else {
    Write-Host "[+] No wallet-related processes detected." -ForegroundColor Green
}

# Check for wallet configuration files
Write-Host "[+] Checking for wallet configuration files..." -ForegroundColor Yellow
$walletPaths = @(
    "$env:APPDATA\Tangem",
    "$env:LOCALAPPDATA\Tangem",
    "$env:APPDATA\Ledger",
    "$env:APPDATA\Trezor",
    "$env:APPDATA\MetaMask"
)

$foundConfigs = @()
foreach ($path in $walletPaths) {
    if (Test-Path $path) {
        $files = Get-ChildItem -Path $path -Recurse -ErrorAction SilentlyContinue | Select-Object FullName, LastWriteTime, Length
        if ($files) {
            $foundConfigs += $files
        }
    }
}

if ($foundConfigs) {
    Write-Host "[!] Wallet configuration files found:" -ForegroundColor Red
    $foundConfigs | Format-Table -AutoSize
} else {
    Write-Host "[+] No wallet configuration files detected." -ForegroundColor Green
}

# Security recommendations output
Write-Host "`n[+] SECURITY RECOMMENDATIONS FOR TANGEM WALLET LASER ATTACK MITIGATION:" -ForegroundColor Cyan
Write-Host "1. IMMEDIATE ASSESSMENT:" -ForegroundColor White
Write-Host "   - Inventory all Tangem wallet cards in custody" -ForegroundColor Gray
Write-Host "   - Verify physical location and custody chain for each card" -ForegroundColor Gray
Write-Host "   - Audit recent wallet activity on blockchain for unauthorized transactions" -ForegroundColor Gray
Write-Host "`n2. PHYSICAL SECURITY CONTROLS:" -ForegroundColor White
Write-Host "   - Store Tangem cards in rated physical safes when not in use" -ForegroundColor Gray
Write-Host "   - Implement access logging for all wallet storage locations" -ForegroundColor Gray
Write-Host "   - Require multi-person authorization for wallet access" -ForegroundColor Gray
Write-Host "   - Consider tamper-evident seals on wallet storage containers" -ForegroundColor Gray
Write-Host "`n3. ALTERNATIVE CUSTODY SOLUTIONS:" -ForegroundColor White
Write-Host "   - Evaluate migration to patchable hardware wallets (e.g., Ledger, Trezor)" -ForegroundColor Gray
Write-Host "   - Consider multi-signature wallets requiring multiple devices" -ForegroundColor Gray
Write-Host "   - Evaluate institutional custody services with insurance" -ForegroundColor Gray
Write-Host "`n4. MONITORING AND DETECTION:" -ForegroundColor White
Write-Host "   - Implement blockchain transaction monitoring with alerting" -ForegroundColor Gray
Write-Host "   - Regular balance verification on all wallets" -ForegroundColor Gray
Write-Host "   - Review physical access logs for wallet storage areas" -ForegroundColor Gray
Write-Host "`n5. CRITICAL: Tangem cards CANNOT be patched. Hardware replacement is required."

# Generate assessment report
$reportPath = "$env:TEMP\WalletSecurityAssessment_$(Get-Date -Format 'yyyyMMdd').txt"
"
Hardware Wallet Security Assessment Report
Generated: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')
System: $env:COMPUTERNAME
User: $env:USERNAME

Wallet Processes Detected: $($walletProcesses.Count)
Configuration Files Found: $($foundConfigs.Count)

STATUS: IMMEDIATE REVIEW REQUIRED if any wallet software or configs found.

Follow the security recommendations above to mitigate Tangem laser attack exposure. " | Out-File -FilePath $reportPath -Encoding UTF8

PowerShell
Write-Host "`n[+] Assessment report saved to: $reportPath" -ForegroundColor Green

Remediation

Immediate Actions Required

1. Exposure Assessment (Immediate - Within 24 Hours)

  • Complete inventory of all Tangem wallet cards in organizational custody
  • Verify physical possession and custody chain for each wallet
  • Conduct blockchain transaction audit for all affected wallets dating back 90 days
  • Check for any unauthorized transfers or anomalous transaction patterns

2. Physical Security Hardening (Immediate - Within 48 Hours)

  • Move all Tangem wallets to rated physical safes (minimum UL TL-15 or equivalent)
  • Implement multi-person control for wallet access (minimum two authorized personnel required)
  • Install tamper-evident seals on wallet storage containers; document seal numbers
  • Review and audit physical access logs for wallet storage areas
  • Consider 24/7 video surveillance for wallet storage locations

3. Migration Planning (Within 1 Week)

  • Initiate procurement process for alternative hardware wallets with patchable firmware
  • Recommended alternatives: Ledger Nano X/S, Trezor Model T, KeepKey
  • Develop migration protocol including key generation, backup, and transfer procedures
  • Budget for wallet replacement: approximately $50-150 per card for enterprise-grade alternatives

Workarounds and Compensating Controls

Since Tangem cards cannot be patched, the following compensating controls must be implemented immediately for any wallets that cannot be immediately replaced:

ControlImplementation GuidanceEffectiveness
Physical IsolationStore in access-controlled safe with badge reader loggingHigh - prevents laser attack access
Multi-Signature RequirementRequire at least 2 of 3 signatures for transactionsHigh - single wallet compromise insufficient
Transaction LimitsImplement daily/weekly withdrawal limits on walletsMedium - limits exposure if compromised
Frequent Balance ChecksAutomated blockchain monitoring with immediate alertingMedium - reduces detection window
Tamper-Evident PackagingSealed containers with documented serial numbersLow-Medium - detects tampering after fact

Vendor Communications

  • Official Advisory: Monitor Tangem's official security page for updates and guidance
  • Support Contact: Contact Tangem enterprise support for bulk replacement programs
  • Third-Party Assessment: Engage independent hardware security labs for physical security evaluation if in-house expertise is unavailable

Long-Term Strategy

Organizations with significant cryptocurrency holdings should consider transitioning to institutional-grade custody solutions:

  • Multi-party computation (MPC) wallets: No single point of failure, distributed key generation
  • Hardware Security Module (HSM) backed solutions: FIPS 140-2 Level 3 or higher certified hardware
  • Institutional custody providers: Fireblocks, Coinbase Custody, BitGo (with insurance coverage)
  • Air-gapped cold storage: Systems with no network connectivity, physical transaction signing

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemhardware-wallettangemphysical-securitycrypto-securityside-channel-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.