Security researchers have uncovered a flaw in MediaTek’s mobile chipsets that could enable attackers to harvest crypto seed phrases from vulnerable devices simply by connecting a phone to a computer via USB. The vulnerability targets the secure boot chain, a layer designed to boot devices only with authorized software, and was disclosed by Ledger’s white-hat security team, Donjon. A patch was rolled out by MediaTek on January 5, but users who have not updated their devices remain exposed to potential attacks. In practical terms, an assailant with physical access could bypass a device’s protections and access sensitive wallet data without needing to unlock the device, underscoring how far security gaps in consumer hardware can reach in the crypto era.

Ledger notes that roughly a quarter of Android devices rely on MediaTek processors paired with the Trustonic Trusted Execution Environment (TEE), a combination the research found to be particularly exploitable. Donjon demonstrated the proof-of-concept by connecting a Nothing CMF Phone 1 to a laptop and compromising the device’s security in about 45 seconds. The exploit could, in a worst‑case scenario, recover the phone’s PIN, decrypt stored data, and extract seed phrases from popular wallets such as Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet and Phantom, all without requiring the device to be actively unlocked.

Ledger emphasizes that users should apply the January patch promptly, warning that devices left unpatched remain vulnerable to USB-based attacks that bypass the Android protections designed to prevent unauthorized data access. A Ledger spokesperson suggested that the organization does not anticipate the issue to persist as a systemic vulnerability, pointing to the patch as a remedy and noting improvements in hardware and software defenses over time. The broader takeaway is that mobile devices, while increasingly central to crypto management, remain areas of elevated risk when security architectures rely on general-purpose components rather than dedicated protective elements.

As the crypto ecosystem continues to expand, the mobile surface remains a live concern. Ledger’s assessment of the landscape includes a stark reminder that a large share of users store digital assets on smartphones, with the firm citing around 36 million people managing crypto on mobile devices as of early 2025. The implication is not merely about one exploit but about a structural tension between convenience and security in everyday devices. In late 2025, Ledger also revealed testing results on the MediaTek Dimensity 7300 (MT6878) that reportedly bypassed certain security measures, achieving a level of control over a smartphone that left “no security barrier standing.” These findings echo a longer-standing view from Ledger’s chief technology officer that smartphones—whether Android or iPhone—are inherently challenging to secure for crypto use.

Charles Guillemet has repeatedly underscored the underlying architectural gap between general-purpose chips, which prize convenience, and Secure Elements, which are designed to isolate and protect keys even under duress. In a post on X that followed the December tests, he reiterated a recurring theme: the best practice for protecting seeds is to rely on hardware-backed protections rather than trusting software alone. This sentiment aligns with a broader consensus in the security community that crypto keys deserve an isolated enclave, separate from the rest of the device’s software stack. The implications for wallet developers and hardware makers alike are clear: as fraud vectors evolve, so too must the hardware and the threat models that guide wallet design and user behavior. The ongoing discourse around secure elements, trusted execution environments, and hardware-backed security will likely drive further standards and recommendations for the crypto wallet ecosystem.

In the context of rapidly evolving mobile crypto usage, the incident serves as a reminder that security is not a one-time fix but an ongoing engineering challenge. Beyond patch deployment, users must consider the broader ecosystem: keeping devices updated, enabling additional protections on wallet apps, and staying informed about hardware vulnerabilities that could undermine seed protection. The episode also raises questions for manufacturers and platform providers about the balance between performance, feature parity, and robust security, particularly as mobile devices become the primary entry point for many users into the world of decentralized finance and digital assets.

Overall, the episode reinforces the view that mobile crypto security hinges on a layered strategy: hardware-backed secrets, rigorous boot-time protections, prompt software updates, and wallet designs that minimize the risk surface for seed exposure. While patches provide a necessary remedy, the industry faces a broader imperative to harden the entire stack—from chipset design and secure enclaves to firmware and application guardrails—to ensure that the convenience of mobile crypto management does not come at the expense of fundamental security.

Key takeaways

• The vulnerability resides in MediaTek’s secure boot chain, which could allow an attacker with physical access to bypass protections via USB and access wallet seeds.
• MediaTek released a patch on January 5, but devices that have not updated remain at risk of seed extraction and other data compromise.
• About 25% of Android devices are affected due to the combination of MediaTek processors and the Trustonic TEE, increasing the potential attack surface for seed exposure.
• A proof-of-concept demonstrated on a Nothing CMF Phone 1 achieved compromise in roughly 45 seconds, illustrating how quickly seed data could be extracted from several popular wallets.
• Ledger’s stance emphasizes that smartphones are inherently challenging for crypto security and that hardware-backed protections (e.g., Secure Elements) are essential to safeguarding seeds against physical attacks.
• Beyond the January patch, Ledger disclosed ongoing tests in December 2025 on the MT6878 that reportedly bypassed some security measures, underscoring the persistent need for robust hardware protections.

Sentiment: Neutral

Market context: The incident highlights ongoing risk in mobile crypto usage and the importance of timely firmware updates as users increasingly rely on smartphones for wallets and seed storage, contributing to broader risk sentiment around consumer hardware security.

Why it matters

For users actively managing crypto on mobile devices, the incident translates into a pragmatic reminder: seed phrases are high-value targets, and the most effective defense combines hardware-backed secrecy with disciplined software hygiene. The fact that a single USB connection could bypass protective layers and extract seed data from multiple wallets makes the case for diversified security architectures more compelling. Wallet developers may respond by encouraging or mandating hardware-backed seed storage, integrating stronger attestation, and pushing for standardized, secure boot practices across chipset families. The episode also underscores the role of independent researchers and white-hat teams in disclosing vulnerabilities that could otherwise go undetected until exploited in the wild.

From a market perspective, the event does not single out a particular asset or exchange, but it does shape risk perception around mobile wallet usability. As more users store crypto on smartphones, the potential payoff for attackers grows in tandem with the number of devices deployed and the wallets installed on them. This dynamic heightens the urgency for chipset makers, device manufacturers and wallet providers to collaborate on risk mitigation—outside of mere patch cycles—through architectural safeguards, secure update mechanisms, and clear user guidance on how to defend seeds in non-ideal physical environments.

For the broader ecosystem, the episode also serves as a test case for ongoing debates about hardware security: should smartphones rely on Secure Elements that isolate keys, or should wallets shift seed management to external, user-controlled devices with their own secure channels? The balance struck in design decisions over the next few years will influence the resilience of mobile crypto infrastructure as adoption continues to grow and as regulatory and market pressures push for stronger security guarantees.

What to watch next

• How quickly OEMs and MediaTek push out and verify the January patch across devices shipping with the affected chipsets.
• Whether wallet developers adopt more hardware-backed storage or additional attestation to reduce seed exposure risk on compromised devices.
• Any official guidance from Ledger or other security researchers on best practices for users to mitigate risk while awaiting firmware updates.
• Further testing results from security researchers on MT6878 and related MediaTek platforms to assess the durability of current protections.

Sources & verification

• Ledger’s public statements describing the vulnerability and the patch rollout on January 5.
• Donjon’s demonstration using a Nothing CMF Phone 1 to compromise a device within about 45 seconds.
• Ledger’s December 2025 disclosures about testing an attack on the MediaTek Dimensity 7300 (MT6878) and bypassing security measures.
• Charles Guillemet’s public comments on smartphone security and the challenges of securing mobile crypto workflows.

Security episode: how a USB-based breach in MediaTek chips could expose seed phrases

The attack scenario centers on the media ecosystem surrounding contemporary smartphones. By exploiting the secure boot chain in MediaTek’s mobile processors, an attacker could connect a device to a PC and proceed without booting into the Android operating system in a conventional sense. The practical upshot is the potential to automatically recover device PINs, decrypt stored data, and extract seed phrases from widely used wallets—Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet, and Phantom—without requiring the user to unlock the phone or enter sensitive credentials. The proof-of-concept demonstrated on the Nothing CMF Phone 1 in roughly 45 seconds underscores how quickly such a breach could occur in a real-world scenario, particularly when users fail to apply patches in a timely manner.

MediaTek’s response to the vulnerability, which included a software patch released on January 5, aims to close the door on the attack by strengthening the integrity of the boot process and reducing the likelihood of unauthorized access to the secure storage that holds seed material. Ledger’s assessment indicates that while the patch is a necessary stopgap, the broader trajectory of mobile crypto security remains a work in progress, especially given the prevalence of devices that rely on Trustonic’s TEE in conjunction with MediaTek chips. The intersection of hardware security with consumer electronics means that even small architectural choices—how keys are isolated, how boot protections are verified, and how protected storage is accessed—can have outsized implications for user safety in the crypto domain.

Looking ahead, the crypto community will be watching whether the January patch is widely adopted across device fleets, how wallet developers respond with additional mitigations, and whether hardware manufacturers continue to push for more robust, hardware-backed protections as a standard feature. The broader message is that seed storage remains a high-value target, and as the mobile economy around digital assets grows, so too must the security controls that protect those seeds—from the moment a device boots up to the moment a user signs a transaction or unlocks a wallet.

Cardano price is hovering near $0.25 support as traders watch whether ADA can hold the level while Charles Hoskinson discusses potential buybacks.

Cardano (ADA) moved lower on Wednesday as sellers kept pressure on the market. At the time of writing, ADA was trading at $0.2585, down about 2% over the past 24 hours.

During the past week, the token traded between $0.2492 and $0.2828. The range has narrowed as the market cooled after earlier volatility. ADA has lost around 5% over the last seven days, and the longer trend remains weak. Since January, the token is down roughly 20% in 2026 so far.

Market activity has not changed much despite the price decline. Daily trading volume reached $799 million, only 0.22% higher than the previous session.

CoinGlass data shows some cooling in derivatives markets. Open interest slipped 3.57% to $419 million, which often happens when traders close positions during uncertain price action.

Hoskinson hints at ADA buybacks and new funding model

In a recent video update, Charles Hoskinson shared new details about how the Cardano ecosystem may be funded in the coming years.

According to Hoskinson, the network has spent years building its core infrastructure. The next step, he said, is to focus more on useful applications and better user experience. Without that shift, strong infrastructure alone will not attract users.

Developers and dApp teams could receive stronger incentives under the proposed model. One idea being discussed involves the Cardano treasury investing in a group of projects across the ecosystem, including DeFi platforms and other applications.

If the plan moves forward, returns from those investments could be used in part to buy ADA from the open market. Hoskinson described this as a possible buyback mechanism that may support the token while also funding ecosystem growth.

The proposal reflects a change in approach. Instead of relying mostly on grants, the treasury may begin making strategic investments designed to increase activity on the network.

Hoskinson has said that 2026 will be an important year for execution, with attention shifting toward real-world utility and stronger dApp ecosystems.

Technical analysis: ADA holds near key support

On the charts, Cardano is trading close to the lower Bollinger Band, which often appears when markets face short-term selling pressure.

The overall trend still points downward. Over the past several weeks, the chart has produced lower highs and lower lows, a pattern that usually marks a continuing downtrend.

Price also remains below the Bollinger midline near $0.27, which has acted as resistance during recent attempts to recover.

Volatility has started to contract slightly as the Bollinger Bands move closer together. Periods like this often come before a stronger move once volatility returns.

Momentum indicators remain weak. The relative strength index is hovering near 40–45, a level that suggests sellers still hold the advantage, though the market is not deeply oversold.

For now, $0.25 is the key level to watch. The market has tested this support several times in recent sessions. If it breaks, price could slide toward $0.23 or even $0.22.

On the other hand, buyers would need to push ADA back above $0.27 to improve the short-term outlook. That level aligns with the Bollinger midline and has acted as a barrier during the recent downtrend.

Crypto ATM fraud surged to $333 million in the US in 2025, with complaints received by the FBI growing 33% in the year as scam networks became more industrialized while tapping into advanced AI deepfake technology.

Crypto ATM fraud is one of the fastest-growing financial crime categories in the US, according to cybersecurity firm CertiK in its latest report shared with Cointelegraph on Thursday, explaining that criminal organizations are exploiting the “speed and pseudonymity” of crypto ATMs or “kiosks” to extract funds from victims at an accelerating pace.

The FBI recorded more than 12,000 complaints between January and November 2025, also a 33% increase from the prior year. The US accounts for 78% of the world’s 45,000 cryptocurrency machines, said CertiK. 

Their ability to convert cash to crypto in under five minutes with minimal identity verification “makes them the lowest-friction extraction channel available to scammers,” the firm added. 

Elderly more vulnerable to social engineering

The report also noted that there was an “attribution gap” because the blockchain only records the operator-to-destination transfer, not the victim’s identity. This makes forensic tracing extremely difficult without court orders for operator records.

Around 86% of losses involve victims over 60, as older adults are disproportionately vulnerable due to “liquid savings,” lower crypto literacy, and social isolation.

However, younger victims are increasingly appearing in romance or investment scams, commonly known as “pig butchering,” which is one of five primary tactics used by scammers.

The other four approaches are government impersonation, tech support fraud, “grandparent scams,” and fake fraud recovery offers.

Related: DC attorney general sues Athena Bitcoin over alleged hidden fees

Unlike phishing or wallet-draining attacks, which involve compromising private keys or tricking users into signing malicious smart contract requests, ATM-based fraud “relies entirely on social engineering to induce the victim to perform a voluntary physical action at a kiosk,” stated CertiK. 

AI is making things worse

AI-enabled social engineering scams were 4.5 times more profitable than traditional methods in 2025, reported CertiK.

The integration of “real-time deepfake synthetic media” into scam and fraud operations represents the most “significant near-term escalation,” it stated. 

“AI-driven personalization tools enable scammers to scrape social media data and construct hyper-targeted scripts that mirror the specific language, appearance, and communication patterns of the victim’s trusted contacts.” 

The profile of crypto ATM scammers has also shifted from independent actors to structured transnational criminal organizations operating with corporate-level divisions of labor, according to CertiK.

“Transnational criminal organizations are industrializing ATM-based extraction at unprecedented scale.”

Wyoming Senator Cynthia Lummis said in September that she hopes the crypto market structure legislation will help tackle ATM fraud by punishing bad actors without limiting innovation.

In February 2025, US Senator Dick Durbin introduced the Crypto ATM Fraud Prevention Act, aiming to introduce safeguards for crypto kiosk users.

Magazine: China’s ‘50x’ blockchain boost, Alibaba-linked AI mines Bitcoin: Asia Express