Ledger
hardware walletLedger hardware wallets store private keys in a CC EAL6+ Secure Element. A 2020 breach exposed 272,000 customer addresses; no funds or keys were compromised.
Platform Information
Founded
Headquarters
Manufacturer
Country of Origin
Secure Element
Open Source
Latest Firmware
Price
Platforms Supported
Supported Chains
About Ledger
Ledger is a French hardware wallet manufacturer founded in 2014 and headquartered in Paris. Its devices — including the Nano X, Nano S Plus, Ledger Flex, Ledger Stax, and Nano Gen5 — store private keys in an offline Secure Element chip, isolated from internet-connected devices. The company reports securing approximately 20% of the world's crypto assets across 6 million users in 200 countries.
Security Architecture
- Self-custody: private keys are generated and stored on the Secure Element (SE) chip and do not leave the device during normal operation
- Current devices use a CC EAL6+ certified Secure Element (ST33K1M5); the older Nano X uses a CC EAL5+ chip
- Ledger OS (BOLOS) isolates apps from each other and from the recovery phrase, so a compromised host computer cannot extract keys
- Supports 5,000+ assets via third-party wallet integrations
- Ledger Recover is an optional paid subscription ($9.99/month) that encrypts and shards the seed phrase across three custodians; using it introduces counterparty risk and, per Ledger's own acknowledgement, exposes shards to government subpoena
Open Source
- Apps and the Ledger Wallet companion software are open source
- The firmware OS is closed source: an agreement with chip manufacturer STMicroelectronics prevents full code disclosure
- Following community pressure in 2023, Ledger published a cryptographic white paper and partial source for the Recover service, but the full firmware stack cannot be independently audited
Incident History
- July 2020: Ledger's e-commerce database was breached via a stolen API key, exposing 1 million email addresses and the personal details — including home addresses — of approximately 272,000 customers. No private keys or funds were compromised. Data was published publicly in December 2020, fuelling widespread phishing and physical threat campaigns. In October 2024, France's CNIL fined Ledger €750,000 for GDPR violations related to the breach.
- December 2023: A supply chain attack compromised Ledger's ConnectKit npm library, injecting a wallet drainer into DeFi front ends for approximately five hours. Around $600,000 in user funds were stolen before the malicious package was replaced.
- January 2026: A third-party payment processor (Global-e) exposed Ledger customer names, email addresses, and postal addresses. No private keys or funds were affected.
Security & Score
Platform Safety Score
Based on incident history, security features, and track record
No detailed security information available for Ledger.
Incident History
Ledger Connect Kit Supply Chain Attack
December 14, 2023
A former employee's compromised npm account was used to push malicious code to the Ledger Connect Kit library, affecting multiple DApps that integrated with Ledger.
Ledger Recover Controversy
May 16, 2023
Ledger announced Ledger Recover, a seed phrase recovery service that could export encrypted seed phrase shards. Community backlash over the implication that seed phrases could leave the device.
Customer Database Breach
July 14, 2020
Ledger's e-commerce database was breached, exposing names, email addresses, phone numbers, and physical addresses of approximately 272,000 customers. Led to targeted phishing campaigns.
Frequently Asked Questions
Do you use Ledger?
Check how it affects your portfolio health score and get personalised risk insights.
Check your health score