GUIDE

Hardware wallets split into two camps: code you can inspect and code you cannot. That matters more than any spec on the box. A wallet is only as trustworthy as the code and hardware you can verify.

Ledger owns a huge share of the market. It is also closed source, VC-backed, and in 2023 launched a seed escrow product that undercut years of earlier claims. If you care about self-custody, that history matters.

272,000
Ledger breach (2020)
customer addresses exposed
€380M
Ledger Series C (2021)
Sequoia, a16z, others
~$149
Coldcard Mk4 price
Coinkite direct
2019
Trezor glitch attack
Kraken Security Labs

Why Ledger Is Compromised as a Privacy Tool

Ledger sells convenience and polish. It does not sell verifiability. If you want to check what the device can do with your seed, you hit a wall fast.

Closed-source firmware

Ledger firmware is proprietary. Its Secure Element also sits behind NDA restrictions. Independent researchers cannot fully inspect that layer. You cannot prove what the device does during signing. You are taking Ledger at its word.

Ledger Recover (2023): Ledger launched an opt-in service that shards your seed phraseA set of wallet recovery words that can recreate a private key set. Anyone with the phrase can usually control the funds.Glossary → across three custodians. Coincover, EscryptaLeaf, and Ledger. The key point is simple. Ledger had said seed extraction from the Secure Element was not possible. Ledger Recover showed that firmware can extract and send seed material. Opt in or not, that capability exists on updated devices.

The 2020 data breach

In July 2020, Ledger's e-commerce database was breached. 272,000 customer records leaked, including names, phone numbers, and street addresses. That data later fueled phishing, extortion, and physical threats. A hardware wallet cannot help if your home address is in a public dump.

VC alignment

Ledger raised €380M from firms including Sequoia and a16z. That kind of capital pushes companies toward recurring revenue. Ledger Recover looks like that pressure made real. The incentives do not line up with user privacy.

The Open-Source Alternatives

Coldcard Mk4. Coinkite, Canada

Coldcard is a strong choice for Bitcoin self-custody. The firmware is open source. The device is Bitcoin-only, which keeps the surface area smaller. Signing uses PSBT over SD card or QR. You do not need USB data mode or a live network connection.

Security features include on-device passphrase entry, a duress PIN, a brick-me PIN, and clean support for air-gapped multisigA wallet setup that requires multiple private keys or approvals to move funds, reducing single-key failure and helping distribute operational risk.Glossary →. No Bluetooth. No wireless.

Trezor Model T / Safe 3. SatoshiLabs, Czech Republic

Trezor publishes firmware and hardware documentation. Older Trezor designs relied heavily on PIN plus passphrase because they lacked a Secure Element. The practical rule is the same today. Use a strong passphrase if you want serious protection against physical access.

Kraken Security Labs showed a physical extraction attack against a Trezor One in 2019. A passphrase kept only in your head blocks that path because it never lives on the device. Trezor supports many assets, which is useful but adds complexity that Bitcoin-only wallets avoid.

Foundation Passport. Foundation Devices, USA

Passport publishes hardware schematics and firmware source. It is built for air-gapped use. No USB data. No Bluetooth. It signs PSBTs by camera and QR code, then shows the signed transaction as QR for the coordinator to broadcast.

It also runs on standard AA batteries. That keeps the design simple and avoids sealed-battery failure modes.

Jade. Blockstream

Jade is open source and cheap. It works over Bluetooth or USB and uses a different unlock model tied to Blockstream infrastructure. That keeps cost low, but it is not the same trust model as a fully air-gapped device.

Jade makes sense for smaller holdings or tighter budgets. For larger amounts, many users will want less server dependence.

FIG. 2Hardware wallet comparison. Ledger vs open-source alternatives
DeviceOSS FirmwareOSS HardwareAir-GappedSecure ElementSeed RiskPriceCoinsVC-Backed
Ledger Nano XHIGH~$1495,500+YES
Coldcard Mk4LOW~$149BTC only
Trezor Safe 3MED (passphrase)~$791,000+
Foundation PassportLOW~$199BTC only
Blockstream JadeMED (server dep.)~$65BTC, Liquid

When Paper and Steel Wallets Are Better

Paper wallets

A paper wallet cuts out device firmware, USB ports, batteries, and wireless radios. For deep cold storageKeeping private keys offline on a hardware wallet, air-gapped device, or other disconnected medium to reduce remote theft risk.Glossary → that will sit untouched for years, an offline seed generated on an air-gapped machine can have a smaller attack surface than a hardware wallet.

The trade-off is physical risk. Fire, water, fading ink, theft, or one bad hiding spot can wipe you out. Paper is also awkward for regular spending.

Steel seed backups

Products like Cryptosteel Capsule, Bilodeau, and BlockPlate let you stamp seed words into steel. They survive heat, water, and time far better than paper. They are not wallets. They are backups, and every serious self-custody setup should have one.

When hardware wallets are overkill

For smaller balances you spend often, a good mobile wallet on a hardened phone may be safer in practice than a hardware wallet paired with a dirty desktop. Plugging a Coldcard into a sketchy Windows box does not fix the rest of your setup.

For Monero, Feather Wallet on GrapheneOS with no SIM and TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → access is a reasonable daily-use setup for modest amounts. Monero handles on-chain privacy far better than Bitcoin, so the trade-offs differ.

The air-gapped path is simple. Keep the signing device offline. Move unsigned transactions in by SD card or QR. Move signed transactions back out the same way. The wallet never touches a networked computer.

Multisig as the Gold Standard

For large Bitcoin holdings, 2-of-3 multisig across different hardware makers is still the practical high bar. One stolen device, one bad firmware line, or one supply-chain failure should not be enough to lose funds.

A common setup is Coldcard Mk4 plus Trezor Safe 3 plus Foundation Passport. Different vendors. Different codebases. Different design assumptions. Sparrow Wallet can coordinate the setup on desktop.

The cost is friction. Every spend takes more planning and more devices. For six-figure storage, that trade usually makes sense.

Practical Recommendations by Amount

FIG. 3Recommended custody approach by amount held
AmountRecommended ApproachNotes
Under $1,000Mobile wallet on GrapheneOSFeather Wallet (XMR) or BlueWallet (BTC). Often simpler and safer than hardware plus a compromised PC.
$1,000 – $10,000Coldcard Mk4 or Trezor Safe 3Use a strong passphrase on Trezor. Prefer air-gapped signing when possible. Keep a steel seed backup.
$10,000 – $50,000Coldcard or Passport, fully air-gappedUse SD card or QR PSBT flow. Sparrow on a dedicated machine works well as coordinator.
Over $50,0002-of-3 multisig, mixed hardware brandsColdcard + Trezor + Passport. Store backups in separate locations. Use Sparrow for coordination.
Long-term cold storageAir-gapped paper or steel walletGenerate on Tails OS, verify carefully, and keep duplicate steel backups in separate places.

The One Rule

Never connect a signing device to a machine you do not control. Hardware wallets defend against remote software attacks only if the rest of the setup is clean. If you cannot trust the coordinator machine, go air-gapped.

Follow the Money

Funding tells you a lot. VC-backed wallet companies need growth. Growth pushes them toward subscriptions and data-driven products. Small independent makers face different pressure.

← PreviousGrapheneOS vs. AI Surveillance: Block Behavioral TrackingNext →How to Scrub Your Personal Information from the Internet

Related