Ledger Donjon | White Hat Lab Takes Security to New Level

A fresh wave of revelations from Ledger's internal team, the Donjon, highlights ongoing efforts in 2025 to enhance the security of crypto hardware. This white-hat hacking initiative reflects escalating concerns around device vulnerabilities and the challenges in ensuring user trust amid industry controversies.

What is Donjon?

Donjon is Ledger's internal group of ethical hackers tasked with testing products before malicious actors can exploit weaknesses. The team’s mantra is clear: "You can’t call a device 'unhackable' without trying to hack it first.” This proactive approach to security sets them apart in a landscape often marred by marketing gimmicks rather than genuine safety.

Key Findings in 2025

In 2025, Donjon focused on several areas:

• Smartphone Weaknesses: During tests on the Mediatek Dimensity 7300 chip, the team exploited electromagnetic pulses, successfully altering the boot process. This illustrates that while smartphones serve as essential tools, they fall short of being secure vaults for sensitive data.

• Tangem Wallet Breaches: A recent examination of Tangem's card-style wallets revealed vulnerabilities, enabling a brute force attack on a 4-digit PIN, taking as little as an hour.

• Collaborative Efforts: The team partnered with Trezor, identifying supply chain vulnerabilities within their Safe 3 microcontroller. This cooperation emphasizes a community-driven approach to bolstering security across the ecosystem.

Responsible Disclosure

Instead of publicizing exploits that could lead to further attacks, the Donjon team practices responsible disclosure. They provide a 90-day window for companies to address identified vulnerabilities. “We would rather get a ‘thank you’ in a patch note than see someone’s savings lost,” a team member noted.

Why Updates Matter

Many wonder, “Does this matter if I don’t lose my device?” The answer lies in the evolving nature of security. Each vulnerability discovered feeds back into firmware updates, underscoring the critical need for updatable devices. Without updates, wallets become ticking time bombs, susceptible to known threats over time.

Costly but Necessary

While the work at the Donjon might seem methodical and slow, the costs of neglecting such proactive measures can be high. The lab, based in Paris, is equipped with advanced testing tools typically unseen by the public. Even as some challenges remain, the team also encourages external scrutiny through a public Bug Bounty program, fostering a culture of openness.

Community Sentiment

Comments about Ledger's practices reveal mixed feelings:

• Call for Transparency: “Remove changelly and apologize to the victims first,” urges one, reflecting broader discontent around trust issues.

• Distrust: Another commenter wrote, “You might have a great team but business practices suggest we should not trust you.”

  In a world where trust is vital, the handling of data leaks and previous controversies weighs heavily on user confidence.

Key Insights

• 🛡️ Donjon reinforces security through upfront testing.

• 🔍 Responsible disclosure ensures threats are managed before they go public.

• 💔 Trust remains shaky among users post-controversy; fingers are pointed at past dealings.

Ledger’s Donjon initiative paints a picture of an industry committed to evolving security, even as trust issues loom large. The question remains: will users embrace these measures amid lingering skepticism?

For more information about Ledger's commitment to security, visit Ledger’s website.

Predictions for Security in Crypto Devices

As Ledger’s Donjon continues pushing the envelope in security practices, there’s a strong chance that other companies will follow suit. Experts estimate around a 70% likelihood that we will see broader industry collaboration aimed at fortifying crypto hardware over the next year. The continual rise of cyber threats may push companies to not only adopt strong security measures but also prioritize transparency. Additionally, this proactive culture could lead to a more robust Bug Bounty environment, encouraging more people from the ethical hacking community to engage in responsible security practices. Considering the growing demand for safe crypto solutions, consumers might increasingly gravitate toward brands showcasing such initiatives, leading to an emerging standard for security in the crypto space.

A Reflection on Historical Responsibility

This situation recalls the establishment of safety standards in the automotive industry after the introduction of safety regulations in the 1960s. Just as manufacturers needed to adapt to rigorous testing for safety features, such as seat belts and airbags, so too do crypto hardware companies today face similar pressures. Once seen merely as optional enhancements, safety measures became essential for consumer trust and market competitiveness. Similarly, the necessity for crypto security may evolve from a niche requirement to a baseline expectation as people demand safety in a digital landscape fraught with risks.