Supply Chain Attack (Hardware Wallets)

What Is a Supply Chain Attack?

A supply chain attack on a hardware wallet is any compromise that occurs between the point of manufacture and the moment a user sets up the device. Rather than trying to crack cryptography or exploit software vulnerabilities, the attacker intercepts the physical device and modifies it so that it appears to function normally while secretly leaking private keys or signing transactions under the attacker's control.

This class of attack is especially dangerous because cold storage devices are trusted precisely because they are offline and isolated. Users assume that if a device never connects to the internet, their keys are safe. A supply chain attack undermines that assumption at the root: the device was never trustworthy to begin with.

The attack surface extends beyond hardware. In December 2023, an attacker published malicious versions of Ledger's Connect Kit JavaScript library on NPM after phishing a former employee's credentials, stealing at least $600,000 from users of decentralized applications. Software dependencies, customer databases, and third-party service providers are all part of the supply chain.

How It Works

Supply chain attacks on signing devices follow several distinct patterns, each targeting a different link in the chain from factory to user.

Pre-Generated Seeds

The attacker replaces the device's random number generator or firmware so that it produces seed phrases from a known set rather than generating them randomly. In a documented case analyzed by Kaspersky in 2023, a counterfeit Trezor Model T contained firmware with 20 pre-generated seed phrases hardcoded into the device. The passphrase protection was also weakened: only the first character of the user's passphrase was actually used, reducing the search space to roughly 1,280 combinations. The attackers waited approximately one month after funds arrived before draining wallets.

Malicious Firmware

Modified firmware can appear completely legitimate while containing backdoors. In the counterfeit Trezor case, the attackers removed the bootloader's verification of digital signatures and protection mechanisms so the device displayed no security warnings during startup. The bootloader version was 2.0.4, a version Trezor had never released (it was skipped specifically because of fake devices). Without signature verification, the firmware could exfiltrate seed data or sign unauthorized transactions.

Hardware Implants

Physical modification of the circuit board itself represents the most sophisticated vector. Documented techniques include soldering USB flash drives onto Ledger device internals to inject malicious programs and placing microchips on traces between the screen, buttons, and main processor to intercept data in real time. In the Kaspersky-analyzed counterfeit Trezor, the microcontroller was entirely replaced: an STM32F429 with flash memory read-out protection fully deactivated (RDP 0) instead of the genuine STM32F427 with maximum protection (RDP 2).

Data Breach and Phishing Chains

Supply chain attacks do not always target the device directly. In June 2020, attackers compromised Ledger's e-commerce database, exposing approximately 1.1 million email addresses and 272,000 records with full names, phone numbers, and home addresses. This data fueled years of targeted phishing campaigns. As recently as April 2025, Ledger users received professionally designed physical letters instructing them to scan QR codes and enter their 24-word recovery phrases: a social engineering extension of the original supply chain breach.

Real-World Incidents

Several high-profile incidents illustrate the range of supply chain attack techniques:

In March 2025, Ledger's Donjon security team demonstrated that the Trezor Safe 3's supply chain countermeasures could be bypassed via voltage glitching on the STM32 MCU. The core issue was that cryptographic operations ran on the general-purpose microcontroller rather than the secure element, and the device's authentication system only verified the secure element, not the MCU firmware.

Verification and Mitigation

No single defense eliminates supply chain risk entirely. Effective protection relies on layering multiple verification mechanisms.

Secure Element Attestation

Cryptographic attestation is the strongest technical defense. The manufacturer embeds a private key in the device's secure element during production. When the user connects the device to the companion app, the app sends a random challenge value. The secure element signs this challenge along with the current firmware version, and the app verifies the signature against publicly known keys. An attacker cannot pass this check without access to the manufacturer's private key.

# Simplified attestation flow
1. App generates random challenge: nonce = random(32 bytes)
2. App sends nonce to device secure element
3. Secure element computes: sig = sign(nonce || fw_version, device_key)
4. App verifies: verify(sig, nonce || fw_version, manufacturer_pubkey)
5. If valid: device firmware is authentic

Ledger relies on this approach as their primary supply chain defense, explicitly warning that holographic seals create "a false impression of security" since an attacker capable of modifying firmware can also duplicate colored tape.

Tamper-Evident Packaging

Physical packaging defenses provide a first layer of detection, though they should not be relied upon alone:

• Coldcard ships in numbered tamper-evident bags with the bag serial number written into the device's secure element, verified on first power-up
• Trezor uses holographic seals over USB-C ports and silver seals with strong adhesive on packaging for Safe 3, Safe 5, and Safe 7 models
• BitBox uses randomly arranged spherical particles (BitBoxTEP) that form a unique fingerprint verifiable by eye or companion app
• Foundation Passport uses tamper-evident case design that shows visible evidence of physical opening

Reproducible Firmware Builds

Reproducible builds allow anyone to compile firmware from published source code and verify that the resulting binary matches exactly what ships on devices. Trezor has supported this since their earliest models: independent auditors can confirm that the firmware running on a device is identical to the publicly reviewed source code, with no hidden backdoors inserted during the build process.

# Verify Trezor firmware via reproducible build
git clone https://github.com/trezor/trezor-firmware
cd trezor-firmware
nix-shell --run "poetry run make build_firmware"
# Compare resulting binary hash against official release hash
sha256sum build/firmware/firmware.bin

Best Practices for Buyers

Most documented supply chain attacks targeted devices purchased from unauthorized resellers. Following these practices significantly reduces risk:

1. Purchase exclusively from the manufacturer's official website or listed authorized resellers: never from third-party marketplaces
2. Inspect packaging for signs of tampering: broken seals, misaligned labels, or non-standard adhesive
3. Always generate a new seed phrase during setup: a device that arrives with a pre-written recovery phrase is almost certainly compromised
4. Run the manufacturer's attestation check through the official companion app before depositing any funds
5. Keep firmware updated through official channels, as manufacturers regularly patch discovered vulnerabilities
6. Verify transaction details on the device's physical screen before confirming: this catches firmware that silently substitutes destination addresses

Open-Source Hardware Approaches

Open-source hardware and firmware offer a fundamentally different trust model for mitigating supply chain risk. Instead of trusting a manufacturer's proprietary code and design, users and auditors can inspect every component.

• Trezor publishes firmware source code and hardware schematics, enabling reproducible builds and independent security audits of the complete design
• Foundation Passport releases both software and hardware under the CERN Open Hardware License, with US-based assembly and published supply chain information
• SeedSigner takes the most radical approach: a DIY signing device built on commodity Raspberry Pi components sourced by the user, eliminating reliance on any single manufacturer's supply chain entirely

Open source is not a complete solution. Air-gapped designs reduce the software attack surface, but physical-layer attacks (voltage glitching, hardware implants) remain possible regardless of firmware transparency. The Trezor Safe 3 voltage glitching vulnerability demonstrated that even fully open firmware cannot protect against architectural weaknesses in how the microcontroller and secure element divide responsibilities.

Why It Matters

As self-custody adoption grows, supply chain integrity becomes a critical concern for anyone securing significant value in Bitcoin or other cryptocurrencies. Cold wallet adoption has risen from 15% to 22% of total wallet usage, with institutional adoption up 50% year-over-year, making hardware wallets an increasingly attractive target for sophisticated attackers.

The risk extends beyond individual devices. Software supply chain attacks like the Ledger Connect Kit compromise and the Shai-Hulud NPM worm demonstrate that wallet infrastructure itself is a target. For a deeper look at the tradeoffs between different custody approaches, see the self-custodial vs. custodial wallets comparison and the Bitcoin custody solutions overview.

Solutions like Spark address a related challenge: maintaining self-custodial security guarantees while reducing the operational complexity that drives users toward custodial services in the first place. When users can hold their own keys through well-designed software wallets with strong key management, the need to trust physical hardware supply chains can be reduced.

Risks and Considerations

Evil Maid Attacks

A related threat is the "evil maid" scenario: an attacker with temporary physical access to a device already in the owner's possession installs malicious firmware or hardware modifications. PIN codes and passphrases provide some protection, but voltage glitching techniques have been demonstrated to bypass MCU-level protections on certain devices. If a device is suspected of unauthorized physical access, the safest response is to immediately recover funds to a new wallet with a different seed.

Verification Gaps

No verification method is perfect. Secure element attestation protects against firmware replacement but cannot detect hardware implants placed between the MCU and the display or buttons. Tamper-evident packaging deters casual attackers but can be defeated by well-resourced adversaries with access to identical materials. Reproducible builds verify firmware but not hardware. A comprehensive defense requires combining all three approaches and maintaining physical control of the device.

Evolving Attack Surface

Supply chain attacks are becoming more sophisticated. The Shai-Hulud worm demonstrated self-replicating behavior across the NPM ecosystem, infecting over 640 packages and creating more than 25,000 data-leaking repositories. As multisig and threshold signature schemes distribute trust across multiple devices, they also distribute the supply chain risk. Compromising a single device in a 2-of-3 setup does not grant full access, but it does eliminate one layer of redundancy.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.