Reserved IP Address°C
06-07-2025
Breaking News
BSV
$32.86
Vol 22.12m
1.17%
BTC
$105229
Vol 24564.04m
1.2%
BCH
$407.71
Vol 215.47m
5.73%
LTC
$88.6
Vol 273.47m
4.67%
DOGE
$0.18
Vol 994.75m
5.23%
  1. Homepage
  2. >
  3. News
  4. >
  5. Tech
  6. >
  7. Ledger admits to possible wallet firmware flaw
Getting your Trinity Audio player ready...

In a recent article written as a how-to, Medium blogger Paris Cormier described a set of instructions on how to successfully infiltrate a Ledger wallet. The instructions, which followed a fully-detailed Docdroid.netdisclosure,were posted for educational purposes to prevent the hack from being replicated and protect users who may fall victim to it.

The hardware wallet company acknowledged this vulnerability in their product with a tweet claiming that the “man in the middle attack” can be mitigated by verifying the receive address on the device’s screen. This is done by clicking the “monitor button” found in the wallet’s interface.

Following a report from news.bitcoin.com last month in which a man’s life savings were stolen from a hardware wallet supplied by a reseller, the news that Ledger’s hardware wallets are vulnerable has been met with anger from cryptocurrency users. The man described in the report is Redditor u/moodyrocket, who claimed that he has “[…] not used my Ledger in a week, today I decide to check the value of my XRP, Litecoin and Dash only to discover that all of them showed up as zero and had been transferred somewhere else yesterday all around the same time at 7:30pm. I am not sure how this is possible as I have not access my Ledger in a week.”

Cormier’s guide describes Ledger wallets as “one of the many that generate new public keys for each receiving transaction.” Such transactions are done by executing JavaScript code which runs from the client-side. According to the guide, “This means that malicious code can easily replace the automatically generated receiving address with a hacker’s.”

Given how public keys are changed regularly, users may not suspect any issues that would arise from this process. Users also have no viable method to verify the validity of the receiving address, without resorting to external or third-party applications to manually verify addresses.

Here’s an illustration of the hack as posted by @LedgerHQ on Twitter:

Tagged:

Recommended for you

Could foundation models make RAG obsolete?
Could foundation models make RAG obsolete?
With the changing terrain in the tech space, RAG could one day become outdated as more advanced systems respond with...
By George Siosi Samuels
May 30, 2025
India explores drone-based quantum key distribution
India explores drone-based quantum key distribution
C-DOT and Synergy Quantum join hands in developing drone-enabled QKD systems as part of India's efforts to bolster its quantum...
By Pradipta Mukherjee
May 29, 2025
Advertisement
Advertisement
Advertisement