Donjon, a security research team at Ledger, discovered a vulnerability in the secure boot chain of MediaTek processors. Attackers could extract encryption keys via USB connection before the operating system loads, decrypt device storage, and obtain the device's PIN and encrypted wallet mnemonic phrase within approximately 45 seconds, even with physical contact with the phone. In proof-of-concept testing, the vulnerability successfully extracted sensitive data from wallet applications such as Trust Wallet, Kraken Wallet, and Phantom. Researchers stated that the vulnerability could affect approximately 25% of Android phones, including models using MediaTek chips and the Trustonic trusted execution environment. Ledger CTO Charles Guillemet stated that smartphones were never designed as vaults. While this vulnerability can be patched, it highlights the inherent risk of storing keys on insecure devices and recommends users update their security patches as soon as possible. According to TRM Labs data, over 80% of the $2.1 billion in crypto assets stolen in the first half of 2025 originated from infrastructure attacks such as private key theft, mnemonic phrase theft, and front-end hijacking. Chainalysis data shows that crypto asset theft losses exceeded $3.41 billion in 2024, with the proportion of stolen personal wallets rising from 7.3% in 2022 to 44% in 2024.
Jixu
