Ledger's in-house security research team, Donjon, disclosed a vulnerability in MediaTek's secure boot chain that allowed an attacker with physical USB access to bypass Android security protections and extract crypto wallet seed phrases in approximately 45 seconds. The flaw affected devices running Trustonic's Trusted Execution Environment on MediaTek processors, a combination found in roughly 25% of Android phones worldwide. MediaTek released a patch on January 5, 2026, but unpatched devices remain exposed.
45 Seconds From USB Cable to Empty Wallet
The attack required no user interaction beyond physical access to a powered-on device. An attacker connects a USB cable, runs the exploit, and the script automatically recovers the phone's PIN, decrypts its storage, and extracts seed phrases from six popular software wallets: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem's Mobile Wallet, and Phantom. Forty-five seconds. That is less time than it takes to order coffee.
Ledger Donjon demonstrated the exploit on a Nothing CMF Phone 1, a budget device running a MediaTek chipset with Trustonic TEE. The vulnerability sat in the secure boot chain, the mechanism that verifies each layer of software as the phone starts up. A flaw in this chain meant the TEE, which is supposed to be an isolated vault for sensitive operations like PIN storage and encryption key management, could be compromised from outside.
The implication is stark. Any scenario where someone briefly handles your phone, a border crossing, a repair shop, a stolen device recovered hours later, could result in complete seed phrase extraction. No jailbreak. No malware installation that might trigger antivirus. Just a cable and a laptop.
Why MediaTek Chips Matter More Than You Think
MediaTek is not a niche brand. The company supplies processors for roughly 37% of smartphones shipped globally, according to Counterpoint Research. Its chips dominate the budget and mid-range segments across Southeast Asia, Africa, and Latin America, regions where crypto adoption runs highest relative to traditional banking access.
The affected configuration specifically involves Trustonic's TEE running on MediaTek silicon. Not every MediaTek phone uses Trustonic (some use alternatives like QSEE or Samsung's Knox), but the estimated 25% exposure rate still translates to hundreds of millions of devices. Many of these phones belong to users in markets where a software wallet on a $150 Android phone is the primary, sometimes the only, way to hold crypto.
Ledger's CTO put it bluntly: "Smartphones aren't built for security. Even when powered off, user data, including PINs and seeds, can be extracted in under a minute."
Ledger Donjon's Track Record
This is not the first time Donjon has found critical vulnerabilities outside Ledger's own products. The team has previously disclosed flaws in competing hardware wallets, Trezor devices, and secure element chips. Their research model follows responsible disclosure: find the flaw, notify the manufacturer, wait for a patch, then publish.
In this case, Donjon reported the MediaTek vulnerability before public disclosure, giving MediaTek time to develop and distribute the January 2026 patch. The public disclosure on March 12 came after a reasonable window for OEMs to push updates to users.
The research reinforces a point that hardware wallet manufacturers have been making for years: software wallets on general-purpose devices operate in a fundamentally different threat model than dedicated hardware wallets. A phone's TEE is a security improvement over storing keys in regular app memory, but it is still part of a complex system with a massive attack surface. A dedicated hardware wallet has one job and a fraction of the code.
Six Wallets Confirmed Vulnerable, Likely More
Donjon specifically named six wallets from which they successfully extracted seed phrases: Trust Wallet, Base, Kraken Wallet, Rabby, Tangem's Mobile Wallet, and Phantom. These are not fringe apps. Trust Wallet claims over 100 million users. Phantom dominates the Solana ecosystem. Kraken Wallet is tied to one of the largest US exchanges.
The vulnerability is not in the wallet software itself. Every one of these wallets encrypts seed phrases at rest using Android's security primitives, which in turn rely on the TEE. The problem is that the TEE was the one that got breached. Any software wallet that stores seeds on an affected device and relies on Android's standard encryption stack is theoretically exposed, whether Donjon tested it or not.
This is a supply-chain security problem. Wallet developers did everything right at their layer. The failure was two layers down, in the silicon vendor's boot chain implementation.
What You Should Do Right Now
Check your phone's chipset. Go to Settings, then About Phone. If it lists a MediaTek processor (Dimensity, Helio, or MT series), you may be affected.
Install the latest security patch. MediaTek issued the fix in January 2026. If your phone's security patch level is January 2026 or later, you are patched. If your OEM has not pushed the update, that is a different problem, and one worth switching phones over.
Consider the threat model. If you carry significant crypto balances in a software wallet on your phone, this disclosure is a concrete reason to move long-term holdings to a hardware wallet or at minimum to a phone with a verified secure element (Pixel with Titan, Samsung with Knox, iPhone with Secure Enclave). Software wallets on phones remain useful for spending money, the balances you would carry in a physical wallet. They are not cold storage.
Enable a strong lock screen. The exploit recovered the phone's PIN as part of the attack chain. A longer alphanumeric password adds time to the extraction, though Donjon did not specify whether it would push the attack beyond the 45-second window.
For users of crypto cards that connect to mobile wallets, the calculus is straightforward. Keep only what you plan to spend on the phone. Move the rest to dedicated hardware. The 45-second extraction window means physical access to your phone is now equivalent to physical access to your seed phrase.
The Bigger Picture: Mobile Security Is Crypto's Weakest Link
This disclosure lands one week after Google's Coruna report detailed an iOS exploit kit targeting crypto wallets on older iPhones. Two major mobile security disclosures in eight days, spanning both Android and iOS, paint a pattern: as crypto balances on phones grow, so does the incentive to find extraction methods.
The market context adds urgency. BTC trades at $69,616 as of March 12, 2026, with the Fear and Greed Index sitting at 26 (Fear). In a fearful market, the last thing holders need is a reason to question whether their phones are safe. But the responsible response is not panic. It is patching, moving large balances to purpose-built hardware, and treating phones as hot wallets, not vaults.
MediaTek has done its part by shipping the patch. The bottleneck now is OEM distribution. Budget phone manufacturers in emerging markets are notoriously slow to push Android security updates, sometimes taking months or never updating at all. For the hundreds of millions of users on MediaTek-powered phones in Southeast Asia, Africa, and Latin America, the patch exists but may never arrive.
Overview
Ledger's Donjon security team discovered a vulnerability in MediaTek's secure boot chain that allowed complete seed phrase extraction from six popular Android wallets in 45 seconds via USB. The flaw affected roughly 25% of Android phones running Trustonic TEE on MediaTek chips. MediaTek patched the issue in January 2026, but OEM distribution delays leave millions of devices, particularly in emerging markets, potentially exposed. Users with significant crypto holdings on affected phones should install the latest security update immediately and consider moving long-term balances to dedicated hardware wallets.
