Laser Attack Bypasses Tangem Crypto Wallet Security, Resets Passwords
Researchers have demonstrated a sophisticated laser fault injection attack capable of resetting passwords on Tangem hardware cryptocurrency wallets, posing a risk to unpatchable cards.

Security researchers have unveiled a concerning vulnerability affecting Tangem hardware cryptocurrency wallets, demonstrating a physical attack method that can bypass security measures and reset a wallet's password. The exploit, detailed by Ledger's Donjon security team, involves using a precisely timed laser pulse directed at the secure element chip within the Tangem card. This targeted laser injection can disturb the chip's circuitry at a critical moment, tricking the wallet into believing it is in a recovery state, thereby allowing an attacker to set a new password without knowing the old one.
The implications of this attack are significant, particularly because Tangem cards are designed with unpatchable firmware. This means that every card currently in circulation is susceptible to this physical exploit. While the attack requires the physical possession of the card and specialized laboratory equipment estimated to cost around $250,000, its success means an attacker could gain full control of the wallet and transfer out all associated cryptocurrency funds. The process also involves physically damaging the card, making the tampering evident.
Tangem wallets are designed to protect private keys within a secure element chip, certified to EAL6+, and protected by a user-defined password. The vulnerability exploits a specific feature intended for password recovery: when two cards from a linked set are presented, the system allows a password reset. The laser attack effectively simulates this recovery mode by causing the chip to misinterpret its operational state during the password check, bypassing the need for the original password or a secondary card.
While the attack is technically demanding and requires significant investment in equipment and expertise, its permanence on unpatchable hardware presents a unique challenge. The researchers reported the flaw to Tangem on February 10, 2026. The attack takes approximately two hours per card once the setup is complete, and it has been successful on all tested cards. The physical nature of the attack means it cannot be performed remotely, limiting its scope to scenarios where an attacker has physical access to the target card.
Tangem, in response, has downplayed the threat, characterizing it as a lab-only physical method applicable to secure element chips generally, rather than a specific flaw unique to their cards. The company also highlighted that the attacker would have no way of knowing the value of a card before attempting the exploit, and that the practical risk to everyday users is minimal due to the high cost and invasive nature of the attack. They emphasized that no funds have been lost to such an attack on any hardware wallet to date.
However, the researchers maintain that the flaw is real, unpatchable, and resides within the card's firmware, which cannot be updated. The attack becomes a more pertinent concern for individuals holding significant value on a lost, stolen, or seized Tangem card, where an attacker might have a specific reason to target it. This incident follows similar laser fault injection research conducted by Donjon on Trezor's Safe 7 wallet, though Trezor was able to implement firmware updates to mitigate future risks.
This discovery underscores a persistent challenge in hardware security: even highly certified secure elements can be vulnerable to sophisticated physical attacks. While the barrier to entry for such attacks is high, the unpatchable nature of the Tangem cards means that users who are particularly concerned about this specific threat, especially those with high-value holdings on lost or stolen cards, should consider migrating their funds to a different, updatable hardware wallet solution.
For the vast majority of Tangem users, the advice remains consistent with general hardware wallet security best practices: keep the physical card secure and protected from theft or loss. The attack, while technically impressive, is not a remote threat and requires substantial resources and physical access, making it impractical for widespread opportunistic attacks.