Trezor has disclosed a hardware vulnerability in the secure element of its Safe 7 wallet, then moved quickly to argue that customer funds are not at risk. The flaw, reported on June 3, 2026, was uncovered by Ledger Donjon, the security research lab run by rival hardware wallet maker Ledger, and the disclosure was coordinated with Tropic Square, the company behind the affected chip.
The vulnerability sits in the TROPIC01 secure element, an open-architecture chip that Trezor markets as a transparency upgrade over the closed, proprietary secure elements most competitors ship. The attack is a laser fault injection: by firing a precisely timed laser pulse at the silicon, a researcher can extract one of three "secrets" that protect the device PIN. That drops the PIN protection from three independent layers to two.
A physical attack, not a remote one
The most important detail for anyone holding a Safe 7 is the threat model. This is not malware, a phishing route, or anything that reaches your device over the internet. Pulling off the attack requires physical possession of the wallet, full disassembly of the hardware, and specialized laboratory equipment to land the laser pulse on the chip. Remote exploitation is not possible.
Trezor was direct in its statement: "Your funds remain safe and secure. Trezor Safe 7 has not been hacked." The company's reasoning rests on architecture. Private keys are not stored inside the TROPIC01 chip in the first place, so extracting one PIN secret does not hand an attacker the seed that controls the coins. The PIN itself is still defended by additional layers beyond the compromised one, and brute-forcing what remains is not trivial.
An outside voice backed the measured read. Cyvers CEO Deddy Lavid called the attack "highly impractical" and pointed out that the everyday threats to self-custody users (phishing pages, seed phrase theft, and malicious dApp approvals) remain far more dangerous than a laboratory laser rig. That ordering matters. The people most likely to lose crypto this year will lose it to a fake support agent or a drained approval, not to a lab bench.
The rival-audit angle
The disclosure carries an unusual wrinkle: the team that found the flaw works for the competition. Ledger Donjon is part of Ledger, Trezor's largest rival in the hardware wallet market. Donjon has a long record of probing competitor devices and publishing the results, and this is the latest entry.
There is a defensible argument that adversarial research from a direct competitor is healthy for the category. A secure element that markets itself on openness invites exactly this kind of scrutiny, and surviving it with funds intact is a stronger claim than one backed only by the vendor's own testing. The counter-read is just as obvious: a competitor has an incentive to frame any finding in the harshest light. Both can be true at once, which is why the technical specifics, not the framing, are what to weigh here. On the specifics, Trezor is not disputing that the laser attack works. It is disputing that the attack reaches user funds.
Reading hardware wallet claims more skeptically
For SpendNode readers, the lesson is less about Trezor and more about how to value a "secure element" line on any spec sheet. Secure elements are a real defense, but they are not a single impenetrable wall, and a freshly shipped chip drawing a published physical attack within its first year is a reminder that the marketing label and the lab result are different things.
That distinction feeds directly into custody decisions. Anyone funding a card from their own wallet is trusting a key that, in most setups, ultimately rests on a device like this. The takeaway is not to abandon hardware wallets. It is to keep the device physically secure, treat any unattended or secondhand unit with suspicion, and remember that physical-access attacks only matter if an attacker can get the hardware in hand. The same logic applies to anyone holding a Ledger device, where the firm's own researchers are the ones running these tests.
For most users, nothing about today's disclosure requires action. Keys stay where they were, the Safe 7 keeps functioning, and a passphrase on top of the PIN remains the strongest answer to any physical-access scenario. The story is a useful stress test of a security marketing claim, made public by the one party with every reason to break it.
Overview
Trezor disclosed a laser fault injection vulnerability in the TROPIC01 secure element of its Safe 7 wallet on June 3, 2026, found by rival Ledger's Donjon research team. The attack extracts one of three PIN-protecting secrets but requires physical possession, device disassembly, and lab equipment. Trezor says funds are safe because private keys are not stored on the affected chip, and an independent security CEO called the attack impractical relative to everyday phishing and seed-theft risks. No user action is required, but the episode is a reminder to read secure-element claims, and physical device security, with care.
