Meet Ledger Nano™ Gen5, the most playful signer yet

Discover now

Find us on...

your favorite streaming app

Spotify Youtube Soundcloud Iheart Apple Podcast Deezer Audius Google Podcast

EP - 104

The Crypto Security Wake-Up Call You Can’t Ignore

with

Charles Guillemet
CTO @ Ledger

Nov 10, 2025

This episode of The Ledger Podcast, featuring Ledger Chief Technology Officer Charles Guillemet, provides an urgent wake up call regarding the dramatically evolving threat landscape facing the crypto world. 

Charles details several recent, large-scale attacks, including a massive software supply chain compromise and the commoditization of wallet-draining malware, stressing that the complexity and monetary incentives have increased the danger for crypto owners.

The discussion focuses on the critical need for robust security by design, emphasizing that hardware wallets and clear signing are the only reliable defenses against these sophisticated new threats.

“The only solution against [malware & cyber threats] is to have like a a specific device that will store your keys and this keys will will stay on the device and as soon as you transact you can verify on the device what you are transacting There is no other solution today to fight against the attacks and please don’t think that you will never like be tricked It will happen for sure”. – Charles Guillemet

Key Highlights:

The New Threat Landscape: Crypto is the Target

Attackers are now focusing their considerable resources and time directly on stealing crypto. Charles observed that large-scale attacks directly targeting crypto are completely new. 

The rise in crypto value has created a huge live bounty for hackers, changing the dynamics and incentives for attackers who now see billions of dollars waiting to be drained. 

The assumption that there is no malware in the execution environment is almost always false.

Dissecting the NPM Supply Chain Attack

The recent npm incident was a software supply chain attack. JavaScript, the most used language on the internet, relies heavily on open-source libraries stored in the popular repository npm.

  • The Compromise:
    A reputable developer was compromised through a phishing email that replicated the npm website, stealing his credentials and 2FA token during a seemingly routine GPG key renewal process.
  • The Malware:
    The attacker gained access to the developer’s repositories and inserted malicious JavaScript code into popular libraries. This code was designed to detect if a Decentralized Application (DAP) or wallet class (window windows Ethereum method) was present. If detected, the malware spied on network requests and swapped the user’s intended crypto recipient address with the attacker’s address on the fly.
  • The Scale:
    The compromised libraries saw more than two billion downloads in a single week. Had the execution been successful, the malware would have been present on almost every website, triggering instantly when a user interacted with a DAP.
  • Averted Disaster:
    The attack failed because the malicious code caused a Continuous Integration/Continuous Deployment (CI/CD) system to crash, alerting developers who quickly reverted the changes and analyzed the code, preventing the malware from spreading widely.

Malware Commoditization Targets Individuals

Beyond supply chain attacks, individuals are being targeted with malware that gains control of their computers. These phishing efforts, often delivered via X (Twitter), Telegram, or job interview lures, trick users into downloading malicious software.

The creation of sophisticated wallet-draining malware is now completely commoditized. Full malware suites specializing in draining software wallets running on computers cost only $3,000 to purchase. This specialized malware executes code directly in memory, scanning the entire file system for seeds, blockchain-related files, and targeting wallets like MetaMask.

Even the tech-savvy co-founder of Thorchain lost close to a million dollars, demonstrating that nobody is immune to these psychologically sophisticated attacks.

The Hardware Wallet Solution and Clear Signing

In the current threat environment, relying on the integrity of code running on a desktop or phone is difficult to maintain. 

Charles strongly emphasized that the only solution is to use a specific hardware device that stores keys offline, verified by a secure screen.

  • Offline Keys: If a user uses a Ledger properly, the seed is securely inside the device, preventing malware from finding it on the computer or network.
  • Key Hygiene: The recovery phrase must never be accessible digitally (e.g., in a TXT file, a photo on a phone, or in an iCloud account).
  • Fighting Blind Signing: To combat advanced threats that trick users into authorizing malicious transactions (blind signing), Ledger has implemented two key features:
    1. Clear Signing: The effort to clear sign every Web3 transaction allows users to verify exactly what they are signing on their device.
    2. Transaction Check: Available on devices like Ledger Flex and Stax, this feature involves third parties analyzing the risk of a specific transaction and prompting the user if it is dangerous.

Watch the full episode below:

Urgent Software Updates: Chromium and iOS Vulnerabilities

Widely used software remains a critical attack vector:

  • Chromium Zero-Day (CVE 2025-10585): Google’s team discovered an exploit used on the field (in real-world attacks) that leveraged a type confusion vulnerability in the Chromium JavaScript engine. This allowed malicious JavaScript on a website to escape the browser isolation and compromise the user’s full system, potentially leading to crypto loss.
  • iOS Vulnerabilities: iOS security updates frequently patch vulnerabilities that have already seen exploitation on the field. Charles warned that waiting to update is dangerous because attackers decompile the patch to understand the vulnerability, making it easy to exploit all users who are not up to date.

Users must update their operating systems and browsers immediately.

Donjon Reveals Flaws in Screenless Wallets (Tangem)

Ledger’s internal security research team, the Donjon, analyzes the broader ecosystem. They recently examined the Tangem card wallet, which lacks a secure screen.

The Ledger Donjon found a physical vulnerability that allows an attacker to brute force the card’s PIN by bypassing the time delay mechanism. They achieved this by monitoring the card’s electromagnetic emanation using a probe and an oscilloscope. If a bad PIN was entered, the attacker pulled the power before the card could increment the pin counter.

This method allows for trying approximately 2.5 passwords per second. A short, 4-digit PIN could be defeated in a couple of hours. The Donjon noted that Tangem decided not to upgrade the card’s firmware, which Charles criticized, stating that the ability to upgrade is the number one security feature.

Reading List

Learn more about these topics mentioned in the episode, or explore our library of articles on Crypto, Security, and Regulation on Ledger Academy

 

Stay in touch

Announcements can be found in our blog. Press contact:
[email protected]

Subscribe to our
newsletter

New coins supported, blog updates and exclusive offers directly in your inbox


Your email address will only be used to send you our newsletter, as well as updates and offers. You can unsubscribe at any time using the link included in the newsletter. Learn more about how we manage your data and your rights.