MediaTek patches flaw that enabled crypto seed theft in 45 seconds

Security researchers have uncovered a flaw in MediaTek’s mobile chipsets that could enable attackers to harvest crypto seed phrases from vulnerable devices simply by connecting a phone to a computer via USB. The vulnerability targets the secure boot chain, a layer designed to boot devices only with authorized software, and was disclosed by Ledger’s white-hat security team, Donjon. A patch was rolled out by MediaTek on January 5, but users who have not updated their devices remain exposed to potential attacks. In practical terms, an assailant with physical access could bypass a device’s protections and access sensitive wallet data without needing to unlock the device, underscoring how far security gaps in consumer hardware can reach in the crypto era.

Ledger notes that roughly a quarter of Android devices rely on MediaTek processors paired with the Trustonic Trusted Execution Environment (TEE), a combination the research found to be particularly exploitable. Donjon demonstrated the proof-of-concept by connecting a Nothing CMF Phone 1 to a laptop and compromising the device’s security in about 45 seconds. The exploit could, in a worst‑case scenario, recover the phone’s PIN, decrypt stored data, and extract seed phrases from popular wallets such as Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet and Phantom, all without requiring the device to be actively unlocked.

Ledger emphasizes that users should apply the January patch promptly, warning that devices left unpatched remain vulnerable to USB-based attacks that bypass the Android protections designed to prevent unauthorized data access. A Ledger spokesperson suggested that the organization does not anticipate the issue to persist as a systemic vulnerability, pointing to the patch as a remedy and noting improvements in hardware and software defenses over time. The broader takeaway is that mobile devices, while increasingly central to crypto management, remain areas of elevated risk when security architectures rely on general-purpose components rather than dedicated protective elements.

As the crypto ecosystem continues to expand, the mobile surface remains a live concern. Ledger’s assessment of the landscape includes a stark reminder that a large share of users store digital assets on smartphones, with the firm citing around 36 million people managing crypto on mobile devices as of early 2025. The implication is not merely about one exploit but about a structural tension between convenience and security in everyday devices. In late 2025, Ledger also revealed testing results on the MediaTek Dimensity 7300 (MT6878) that reportedly bypassed certain security measures, achieving a level of control over a smartphone that left “no security barrier standing.” These findings echo a longer-standing view from Ledger’s chief technology officer that smartphones—whether Android or iPhone—are inherently challenging to secure for crypto use.

Charles Guillemet has repeatedly underscored the underlying architectural gap between general-purpose chips, which prize convenience, and Secure Elements, which are designed to isolate and protect keys even under duress. In a post on X that followed the December tests, he reiterated a recurring theme: the best practice for protecting seeds is to rely on hardware-backed protections rather than trusting software alone. This sentiment aligns with a broader consensus in the security community that crypto keys deserve an isolated enclave, separate from the rest of the device’s software stack. The implications for wallet developers and hardware makers alike are clear: as fraud vectors evolve, so too must the hardware and the threat models that guide wallet design and user behavior. The ongoing discourse around secure elements, trusted execution environments, and hardware-backed security will likely drive further standards and recommendations for the crypto wallet ecosystem.

In the context of rapidly evolving mobile crypto usage, the incident serves as a reminder that security is not a one-time fix but an ongoing engineering challenge. Beyond patch deployment, users must consider the broader ecosystem: keeping devices updated, enabling additional protections on wallet apps, and staying informed about hardware vulnerabilities that could undermine seed protection. The episode also raises questions for manufacturers and platform providers about the balance between performance, feature parity, and robust security, particularly as mobile devices become the primary entry point for many users into the world of decentralized finance and digital assets.

Overall, the episode reinforces the view that mobile crypto security hinges on a layered strategy: hardware-backed secrets, rigorous boot-time protections, prompt software updates, and wallet designs that minimize the risk surface for seed exposure. While patches provide a necessary remedy, the industry faces a broader imperative to harden the entire stack—from chipset design and secure enclaves to firmware and application guardrails—to ensure that the convenience of mobile crypto management does not come at the expense of fundamental security.

Key takeaways

• The vulnerability resides in MediaTek’s secure boot chain, which could allow an attacker with physical access to bypass protections via USB and access wallet seeds.
• MediaTek released a patch on January 5, but devices that have not updated remain at risk of seed extraction and other data compromise.
• About 25% of Android devices are affected due to the combination of MediaTek processors and the Trustonic TEE, increasing the potential attack surface for seed exposure.
• A proof-of-concept demonstrated on a Nothing CMF Phone 1 achieved compromise in roughly 45 seconds, illustrating how quickly seed data could be extracted from several popular wallets.
• Ledger’s stance emphasizes that smartphones are inherently challenging for crypto security and that hardware-backed protections (e.g., Secure Elements) are essential to safeguarding seeds against physical attacks.
• Beyond the January patch, Ledger disclosed ongoing tests in December 2025 on the MT6878 that reportedly bypassed some security measures, underscoring the persistent need for robust hardware protections.

Sentiment: Neutral

Market context: The incident highlights ongoing risk in mobile crypto usage and the importance of timely firmware updates as users increasingly rely on smartphones for wallets and seed storage, contributing to broader risk sentiment around consumer hardware security.

Why it matters

For users actively managing crypto on mobile devices, the incident translates into a pragmatic reminder: seed phrases are high-value targets, and the most effective defense combines hardware-backed secrecy with disciplined software hygiene. The fact that a single USB connection could bypass protective layers and extract seed data from multiple wallets makes the case for diversified security architectures more compelling. Wallet developers may respond by encouraging or mandating hardware-backed seed storage, integrating stronger attestation, and pushing for standardized, secure boot practices across chipset families. The episode also underscores the role of independent researchers and white-hat teams in disclosing vulnerabilities that could otherwise go undetected until exploited in the wild.

From a market perspective, the event does not single out a particular asset or exchange, but it does shape risk perception around mobile wallet usability. As more users store crypto on smartphones, the potential payoff for attackers grows in tandem with the number of devices deployed and the wallets installed on them. This dynamic heightens the urgency for chipset makers, device manufacturers and wallet providers to collaborate on risk mitigation—outside of mere patch cycles—through architectural safeguards, secure update mechanisms, and clear user guidance on how to defend seeds in non-ideal physical environments.

For the broader ecosystem, the episode also serves as a test case for ongoing debates about hardware security: should smartphones rely on Secure Elements that isolate keys, or should wallets shift seed management to external, user-controlled devices with their own secure channels? The balance struck in design decisions over the next few years will influence the resilience of mobile crypto infrastructure as adoption continues to grow and as regulatory and market pressures push for stronger security guarantees.

What to watch next

• How quickly OEMs and MediaTek push out and verify the January patch across devices shipping with the affected chipsets.
• Whether wallet developers adopt more hardware-backed storage or additional attestation to reduce seed exposure risk on compromised devices.
• Any official guidance from Ledger or other security researchers on best practices for users to mitigate risk while awaiting firmware updates.
• Further testing results from security researchers on MT6878 and related MediaTek platforms to assess the durability of current protections.

Sources & verification

• Ledger’s public statements describing the vulnerability and the patch rollout on January 5.
• Donjon’s demonstration using a Nothing CMF Phone 1 to compromise a device within about 45 seconds.
• Ledger’s December 2025 disclosures about testing an attack on the MediaTek Dimensity 7300 (MT6878) and bypassing security measures.
• Charles Guillemet’s public comments on smartphone security and the challenges of securing mobile crypto workflows.

Security episode: how a USB-based breach in MediaTek chips could expose seed phrases

The attack scenario centers on the media ecosystem surrounding contemporary smartphones. By exploiting the secure boot chain in MediaTek’s mobile processors, an attacker could connect a device to a PC and proceed without booting into the Android operating system in a conventional sense. The practical upshot is the potential to automatically recover device PINs, decrypt stored data, and extract seed phrases from widely used wallets—Trust Wallet, Base, Kraken Wallet, Rabby, Tangem’s Mobile Wallet, and Phantom—without requiring the user to unlock the phone or enter sensitive credentials. The proof-of-concept demonstrated on the Nothing CMF Phone 1 in roughly 45 seconds underscores how quickly such a breach could occur in a real-world scenario, particularly when users fail to apply patches in a timely manner.

MediaTek’s response to the vulnerability, which included a software patch released on January 5, aims to close the door on the attack by strengthening the integrity of the boot process and reducing the likelihood of unauthorized access to the secure storage that holds seed material. Ledger’s assessment indicates that while the patch is a necessary stopgap, the broader trajectory of mobile crypto security remains a work in progress, especially given the prevalence of devices that rely on Trustonic’s TEE in conjunction with MediaTek chips. The intersection of hardware security with consumer electronics means that even small architectural choices—how keys are isolated, how boot protections are verified, and how protected storage is accessed—can have outsized implications for user safety in the crypto domain.

Looking ahead, the crypto community will be watching whether the January patch is widely adopted across device fleets, how wallet developers respond with additional mitigations, and whether hardware manufacturers continue to push for more robust, hardware-backed protections as a standard feature. The broader message is that seed storage remains a high-value target, and as the mobile economy around digital assets grows, so too must the security controls that protect those seeds—from the moment a device boots up to the moment a user signs a transaction or unlocks a wallet.