Most hardware wallet companies spend their security budget hardening their own devices. Ledger does that too – but then they take it a step further. Founded in 2018, Ledger Donjon is their internal security research team: 8+ full-time researchers who actively probe competitors’ hardware wallets, then disclose every finding publicly. No other hardware wallet company operates this way. That’s one of the most underrated arguments for choosing Ledger over the competition.
TLDR
- Ledger Donjon is an in-house white-hat security team that actively hacks Ledger’s own products AND competitors like Trezor and Trust Wallet – then discloses findings publicly.
- Donjon found a critical flaw in the Trezor Safe 3 (cryptographic ops running on the MCU, not the Secure Element) and a bug in the Trust Wallet browser extension that could drain wallets using only a public address.
- No other hardware wallet company does this. It’s a meaningful differentiator for security-conscious holders – and it’s part of why Ledger remains my primary hardware wallet recommendation.
The Hardware Wallet Built by People Who Hack Hardware Wallets
What Is Ledger Donjon?
Ledger Donjon was founded in 2018 as Ledger’s internal security research lab. The team includes cryptography specialists, hardware security engineers, and software vulnerability researchers – over 8 million Ledger devices deployed globally with 20%+ of the world’s crypto assets secured through their platform. Their mandate: find weaknesses before attackers do, in Ledger’s products and across the entire hardware wallet ecosystem.
That scope covers three areas. First, they stress-test Ledger’s own hardware and firmware continuously – any flaw found internally gets patched before it can be exploited in the wild. Second, they examine the broader crypto security ecosystem: competitors’ hardware wallets, software wallets, browser extensions. Third, they publish their findings. Not quietly patch things and move on – they publish detailed technical writeups after each responsible disclosure.
That last part is what makes Donjon genuinely unusual. Responsible disclosure is a norm in traditional software security – you notify the vendor privately, give them time to fix it, then go public. It’s much rarer in the hardware wallet space, where vendors have a financial incentive to keep competitor vulnerabilities quiet rather than shine a light on the whole category.
Ledger Donjon’s approach is the opposite: find the vulnerability, notify the vendor, wait for a fix, then publish. It makes the entire ecosystem harder to exploit. It also creates a public track record that’s difficult to fake.
The Trezor Safe 3 Finding: Ledger Donjon in Action
One of Donjon’s most significant public findings targeted the Trezor Safe 3 – Trezor’s flagship model that markets itself as having a Secure Element chip.
The vulnerability Donjon identified was architectural: while the Trezor Safe 3 does include a Secure Element, cryptographic operations were still being performed on the MCU (microcontroller unit) rather than on the Secure Element itself.
Why does that matter? The Secure Element is the hardened, certified chip. It’s designed to resist physical attacks – probing, voltage glitching, side-channel analysis. The MCU is not. When cryptographic operations happen on the MCU, a sophisticated attacker with physical access to the device can potentially extract or tamper with key material through hardware-level attacks.
This creates a supply chain attack vector. A device could be intercepted between factory and buyer, physically tampered with at the MCU level, and returned to the packaging – with the buyer having no way to detect the manipulation. The “safe” in “Trezor Safe 3” implies the Secure Element is doing the heavy lifting. Donjon’s research showed the architecture didn’t fully deliver on that promise.
Trezor was notified through responsible disclosure and issued a fix. Donjon published their findings after the patch was available. The only reason consumers know this architectural detail existed is because Ledger’s team went looking for it.
I’ve covered the full comparison in more depth – the breakdown of the one architectural gets into the Secure Element versus MCU screen control distinction, which is the same category of issue Donjon surfaced here.
The Trust Wallet Browser Extension Vulnerability
The Trezor Safe 3 finding required physical device access to exploit. The Trust Wallet finding Donjon published in 2023 was more alarming: it could be exploited entirely remotely, requiring zero interaction from the target.
Donjon researchers discovered a critical cryptographic flaw in how the Trust Wallet browser extension generated seed phrases. The randomness source was weak enough that, given only a wallet’s public address, an attacker could compute the corresponding private key.
That’s about as severe as a vulnerability gets. A public address is, by definition, public – it’s what you share to receive funds. Every user who had generated a wallet via the Trust Wallet browser extension was potentially exposed. An attacker who scraped public blockchain addresses could work backward to the private key and drain the wallet without the owner ever doing anything wrong.
Trust Wallet was notified and patched the vulnerability within days of disclosure. Donjon published the technical details after the fix was live and users had time to update.
The scope here is important to state clearly: this affected the browser extension specifically, not Trust Wallet’s mobile app or other products. And it has been patched. But it illustrates the kind of foundational cryptographic flaw that can sit undetected in widely-used products – and that Donjon’s systematic research process is specifically designed to surface before attackers find it first.
For context on how blind transaction signing creates a similar category of undetectable risk, the blind signing explainer walks through the mechanics and the Bybit hack context.
Why Responsible Disclosure Matters – And Why Most Vendors Don’t Do It
Let’s be direct about the incentive structure here. When Donjon finds a vulnerability in a competitor’s product, Ledger could handle it three ways:
- Say nothing – let the flaw exist, potentially to Ledger’s competitive advantage if it’s eventually exploited in the wild
- Notify the vendor privately and say nothing publicly
- Notify the vendor, allow time to fix it, then publish the technical details
Option 3 is the hardest and most costly choice. It requires coordination, patience, and a willingness to create press around a problem in a competitor’s product that also raises questions about the general security of the hardware wallet category. You’re essentially helping a competitor fix their product while potentially spooking your own customer base about the whole industry.
The reason Ledger runs Donjon this way anyway comes down to a genuine belief that a more secure ecosystem benefits all crypto holders – including Ledger customers. If Trust Wallet users lose funds because of an unfixed vulnerability, that erodes trust in self-custody broadly. It’s also a defensible long-term business bet: being the company that surfaces and fixes these problems is more durable than being the company that stays quiet and hopes nobody notices.
There’s also a credibility dimension that marketing copy cannot replicate. Any company can claim to take security seriously. A seven-year public track record of finding vulnerabilities across competitors, disclosing them responsibly, and publishing detailed technical writeups is a fundamentally different kind of evidence.
How Donjon Informs Ledger’s Own Design
The Donjon findings don’t just benefit the ecosystem – they directly shape how Ledger’s devices are architected.
The MCU vulnerability in Trezor Safe 3 illustrates the exact problem Ledger’s design was built to avoid. Ledger devices use a Secure Element (CC EAL6+ certified – the same class of chip used in bank cards and passports) and ensure that cryptographic operations happen on the Secure Element, not on a separate MCU that lacks that protection.
The screen architecture is another direct example. On most hardware wallets – Trezor models, Coldcard, Jade, and others – the display is controlled by the MCU, not the Secure Element. Donjon has demonstrated that malware on a host computer can compromise the MCU and silently swap the wallet address shown on screen. The user verifies what they see on the device display and confirms the transaction – which actually sends their crypto somewhere else entirely.
Ledger’s secure screen is driven directly by the Secure Element. The Secure Element controls what gets displayed. A compromised host machine or a tampered MCU cannot inject a fake address into the display, because the screen isn’t taking instructions from the MCU at all. It’s listening to the same chip that holds the private keys.
This is the architectural table you should actually be reading when evaluating hardware wallets – not marketing copy about being “air-gapped” or “open source.”
Ledger vs Trezor: Security Comparison Table
| Security Dimension | Ledger (Nano X / Flex / Stax) | Trezor Safe 3 |
|---|---|---|
| Secure Element chip | CC EAL6+ certified | Yes (ATECC608A) |
| Cryptographic ops location | On the Secure Element | On MCU (Donjon finding, patched) |
| Screen controller | Secure Element directly | MCU |
| Screen spoofing risk | Mitigated – SE controls display | Possible if MCU compromised |
| Physical supply chain attack surface | SE chip is tamper-resistant | MCU accessible with hardware tools |
| Open source firmware | Mostly open; SE code closed (chip NDA) | Fully open source |
| Independent competitor security research | Yes – Donjon publishes findings | No comparable program |
| Vulnerability disclosures on own products | Yes, publicly | Yes, through advisories |
| Third-party product vulnerability research | Yes (Donjon hacks competitors) | No |
| Successful device hacks resulting in user losses | Zero | Zero |
A few things worth saying plainly about this table. Both Ledger and Trezor have been building hardware wallets since 2014, and neither has suffered a hack that cost users their crypto. The Trezor team takes security seriously and has a solid track record. The architectural differences I’ve outlined are real, but they’re most relevant in sophisticated physical attack scenarios – not typical consumer threat models.
Where Ledger separates itself is in two areas: the architecture (Secure Element-controlled screen, Secure Element-executed crypto ops) and the active research program. The Donjon’s work on Trezor Safe 3 was done after Trezor marketed the device around having a Secure Element. The research showed the implementation didn’t fully match the marketing. That kind of independent verification is valuable regardless of which device you end up choosing.
For the full category comparison including no-screen devices like Tangem and Bitkey, the best hardware wallets for 2026 roundup lays out the tradeoffs across all three hardware categories.
The full Ledger safety assessment for 2026 goes deeper on the Secure Element certification claims and Donjon’s role in validating them.
Secure Your Crypto the Same Way I Do
FAQ
What exactly is Ledger Donjon and is it truly independent?
Ledger Donjon is Ledger’s internal security research team, founded in 2018. It is not independent in the sense of being a third-party auditor – it’s funded by and part of Ledger. However, their published findings are verifiable technical writeups, and the responsible disclosure process (notifying vendors before publication) follows standard industry practices. Their track record of publishing detailed findings – including ones that reflect unflattering truths about the broader ecosystem – provides more signal than any independence claim could.
Did Trezor fix the vulnerability Ledger Donjon found in the Safe 3?
Yes. After Donjon notified Trezor about the MCU cryptographic operations finding, Trezor issued a fix. Donjon’s standard process is to notify the vendor, allow time for a patch, and then publish the technical details publicly. The vulnerability was disclosed after the fix was available. Existing Trezor Safe 3 users who have kept their firmware updated are not exposed to the original finding.
Is the Trust Wallet browser extension safe to use now?
The specific vulnerability Donjon found in 2023 – where a wallet’s private key could be computed from its public address due to a weak randomness source in seed generation – was patched within days of notification. The browser extension in its current form does not have that flaw. That said, any browser extension has a larger attack surface than a hardware wallet by design: it runs inside a browser process connected to the internet and interacting with third-party websites. For significant holdings, hardware wallet storage remains the appropriate security layer.
Does Ledger hack competitors to gain a marketing advantage?
Technically yes – Donjon researchers actively probe competitors’ products to find vulnerabilities. Whether that creates marketing benefit is obvious, but the responsible disclosure component – notifying vendors, waiting for patches, publishing only after fixes are live – is what distinguishes this from an adversarial PR operation. The test is whether findings are disclosed responsibly: Donjon’s track record on this is public and verifiable.
How does the Ledger Donjon compare to Solana’s security research?
Donjon’s scope covers the full hardware stack – including a finding related to the Solana Seeker phone’s boot ROM vulnerability. The Solana Seeker security vulnerability writeup covers what Donjon found and why it matters for anyone using the Seeker device. Donjon’s willingness to research products outside the traditional hardware wallet category shows the scope of their mandate.
The Bottom Line
I’ve been holding crypto since 2014. The hardware wallet space has matured significantly in that time, but one thing hasn’t changed: most of what buyers know about a device’s security comes from the manufacturer’s own marketing copy. Donjon is the exception to that. Their public research record means that Ledger’s security claims can be held to an external standard – not because an auditor certifies them, but because the team is actively trying to find the flaws and publishing what they discover.
The Trezor Safe 3 finding is the clearest example of why this matters. A device marketed around having a Secure Element was found to be running cryptographic operations outside of it. Without Donjon publishing that research, there’s no way the average buyer would have known. That’s precisely the kind of information that should be available to people making decisions about where to secure meaningful amounts of crypto.
If you’re evaluating hardware wallets and security architecture matters to you – which it should – Ledger is where I’d start that conversation.




