Beginner’s Guide to Web3 Security: Common Hardware Wallet Pitfalls
Author: Liz
Editor: Sherry
Background
In our previous installment of the Beginner’s Guide to Web3 Security, we discussed clipboard security. Recently, a victim reached out to the SlowMist Security Team, reporting the theft of approximately 50 million RMB worth of crypto assets after purchasing a cold wallet from Douyin. This issue, we shift our focus to a tool that many users trust, but frequently misuse — the hardware wallet.
Hardware wallets have long been regarded as reliable tools for safeguarding crypto assets due to their offline private key storage. However, as the value of crypto assets increases, so do the sophistication and frequency of attacks targeting these wallets — from counterfeit hardware wallets, fake firmware updates and verification prompts, and phishing sites, to meticulously crafted social engineering traps. Users often fall victim without realizing it, losing everything in the end. What seems like a secure device may harbor hidden backdoors; what looks like an official email may actually be from an attacker.
This article highlights common risks in the purchase, use, and storage of hardware wallets. Through real-world cases, we’ll analyze common scams and provide practical security tips to help users protect their crypto assets.
Risks During Purchase
Hardware wallet scams typically fall into two categories:
1. Counterfeit Wallets:
These devices appear legitimate but come with tampered firmware. Once used, private keys may be silently leaked.
2. Real Wallets + Malicious Guidance:
Attackers exploit users’ lack of security awareness by selling “pre-initialized” devices via unofficial channels or tricking them into downloading fake companion apps, using phishing or social engineering to ultimately drain assets.
Here’s a classic example:
A user purchased a hardware wallet from an e-commerce platform. Upon opening the package, the instruction manual resembled a scratch card. The attacker had pre-activated the device and obtained the recovery phrase, then re-sealed the wallet and packaged it with a forged manual. Once the user scanned the QR code and transferred assets to the wallet, the funds were immediately drained — a textbook counterfeit wallet heist.
These scams often target first-time hardware wallet users who may not realize that a “pre-set recovery phrase” is a major red flag.
Beyond “activation + re-sealing” tactics, there are even more advanced threats involving firmware-level tampering.
Even if a device looks untouched, its internal firmware may be embedded with backdoors. These attacks are nearly impossible for regular users to detect — verifying firmware or disassembling hardware is costly and requires expertise.
Once users deposit funds into such a device, the hidden backdoor can be silently triggered: attackers may extract private keys or authorize transactions remotely, draining assets before the user realizes what happened.
Security Tip: Always purchase hardware wallets directly from the official website or an authorized reseller. Never be tempted by lower prices or convenience. Avoid second-hand or unknown-source devices — they may have been tampered with or pre-initialized.
Vulnerabilities During Use
Phishing in Signature Authorization
While hardware wallets keep private keys offline, they can’t prevent phishing via blind signing — akin to signing a blank check. Users often confirm a string of incomprehensible characters without fully understanding the transaction details. As a result, even under hardware wallet protection, users might unknowingly authorize a malicious smart contract or transfer funds to an attacker.
Blind signing typically occurs on cleverly disguised phishing sites. Over the years, hackers have used this method to steal countless assets. As DeFi, NFTs, and other smart contract use cases grow more complex, so do signature operations.
Security Tip: Use a hardware wallet that supports “what you see is what you sign,” ensuring that each transaction is clearly displayed on the device screen for review and confirmation.
Phishing Disguised as “Official”
Attackers often impersonate official sources. For instance, in April 2022, some Trezor users received phishing emails from the domain trezor[.]us. Trezor’s real domain is trezor[.]io. Other spoofed domains included: suite[.]trẹzor[.]com .
The “ẹ” here looks like a normal character, but it’s actually Punycode. The true form of trẹzor is xn--trzor-o51b.
Attackers also capitalize on real security incidents to increase their success rate. In 2020, Ledger suffered a data breach, leaking over 1 million email addresses. A subset of 9,500 customers had additional info exposed, including names, postal addresses, phone numbers, and product purchases.
With this data, attackers posed as Ledger’s security & compliance team and sent phishing emails claiming users needed to upgrade or validate their devices. The emails linked to phishing sites via QR codes.
Some users even received physical packages with fake devices, shrink-wrapped and labeled as replacements for their compromised devices. These contained fake Ledger Nano X wallets and forged letters on official-looking letterhead claiming to be from Ledger, offering a “more secure replacement.”
In reality, these were tampered devices. An additional USB component was soldered to the internal board to implant malicious code. Fake manuals instructed users to connect the device to their computer, launch an auto-running app, and input their original 24-word recovery phrase for “migration” or “restoration.” Once entered, the seed phrase was transmitted to attackers, and the assets were immediately stolen.
Man-in-the-Middle (MitM) Attacks
Imagine sending a letter to a friend, but a malicious postman intercepts it, alters the message, and reseals it. That’s the essence of a man-in-the-middle (MitM) attack.
While hardware wallets isolate private keys, completing transactions still requires communication via a computer or smartphone wallet app, using USB, Bluetooth, or QR code. These are like unseen couriers. If any part is compromised, attackers can tamper with destination addresses or forge signature data unnoticed.
The OneKey team once reported a MitM vulnerability involving Trezor and MetaMask: when MetaMask connects to Trezor, it immediately reads the ETH public key and calculates addresses via different derivation paths — without any hardware confirmation or prompts, leaving a gap for MitM attacks.
If malware compromises Trezor Bridge (the communication interface), it can act as a “malicious postman,” altering all data passed between the wallet and computer. If the verification process is flawed or the user skips confirming details on the hardware screen, MitM attacks may succeed.
Storage and Backup
Finally, secure storage and backup are just as important. Never store or transmit recovery phrases on any internet-connected platform — including notes, photo albums, bookmarks, file transfer tools, email, or cloud storage.
Protecting your assets isn’t just about defending against hackers, but also physical disasters. Paper backups are relatively safe, but prone to fire, water damage, or loss.
Security Tip: Write down your recovery phrase by hand and store copies in multiple secure, separate locations. For high-value assets, consider fire- and waterproof metal plates. Periodically check the storage environment to ensure your recovery phrase is still secure and legible.
Conclusion
Hardware wallets are critical tools for asset protection, but their safety ultimately depends on how users handle them. Many scams don’t attack the hardware directly, but instead lure users into voluntarily giving up control under the guise of “protecting your security.”
To help mitigate the risks covered in this article, here are some final recommendations:
- Always purchase from official sources: Devices from unauthorized channels may be tampered with.
- Ensure the device is uninitialized: Hardware wallets from official sources should be new and unactivated. If the device appears pre-activated or includes a “default password” or “preset address,” stop using it and report it to the vendor.
- Perform all critical steps yourself: Device activation, setting the PIN, generating bind codes, creating addresses, and backing up recovery phrases should all be done by the user. Any step handled by a third party introduces risk.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
