
# Every Ledger Hack Since 2020 and What Each Changed.
TL;DR·Ledger has had four public security events since 2020: an e-commerce breach exposing over 1M customer records, follow-on letter phishing, the May 2023 Recover firmware row, and a December 2023 Connect Kit exploit that drained about $484K from dApp users. None touched the secure element; the seed backup model did the work.
When people search for a Ledger hack, they usually find a mix of headlines that blur four different events into one story. A couple were Ledger's fault, one was an ecosystem attack that hit Ledger users through a poisoned library, and one was a policy call that split the community. What follows is a chronology of every publicly confirmed incident tied to Ledger's stack since 2020, with primary sources and a plain read on what each changed for holders. Ledger is the largest hardware wallet company in the industry, and any comparison honest about the market has to start with what happened on their watch.
In this piece
The 2020 customer data breach
In July 2020, a researcher reported a vulnerability in Ledger's e-commerce and marketing database through the company's bounty program. Forensics by Ledger and Orange Cyberdefense established that a third party's API key had been abused to pull over one million email addresses and roughly 292,000 records including names, phone numbers, and postal addresses. No passwords, no payment data, no seed phrases. The full dump landed on a public forum that December.
For hardware-wallet buyers, the point is a distinction: this was a customer database breach, not a wallet breach. Every Ledger secure element kept its keys inside the chip. What made the incident hard to walk back is that a file mapping "this person owns crypto" to "this is their home address" now existed as a public download.
The 2020 to 2021 phishing letters
The 2020 customer list turned into phishing feedstock for years. In 2021, some Ledger owners received counterfeit devices in the mail, tampered so that connecting one to a computer would install malware. By 2025, physical letters on branded stationery were still landing in mailboxes, asking recipients to scan a QR code and enter their 24-word recovery phrase to "validate" the wallet. Ledger has stated repeatedly that they will never mail hardware or ask for a recovery phrase: once a home address sits in a leaked file, it stays useful to attackers as long as the owner still holds crypto.
The May 2023 Recover controversy
On May 16, 2023, Ledger announced Ledger Recover, a paid subscription that would shard an encrypted copy of a user's seed phrase across three custodians (Ledger, Coincover, and EscrowTech). To unlock a restore, the user would pass ID verification with a government photo and facial recognition; two custodians would send their shards back to the device.
The backlash centered on one detail. To make Recover work, the firmware that ships on every Ledger device had to include the capability to package an encrypted seed and send it off the device under an approved code path. The service was opt-in, but the mechanism existed in firmware everywhere, which sat awkwardly against years of Ledger marketing that keys "never leave" the secure element. CEO Pascal Gauthier defended the design and stated that the only meaningful risk was subpoena: if a government compelled one custodian in each shard's jurisdiction, three subpoenas could reconstruct a seed. On May 23, Ledger paused the rollout and committed to open-sourcing the code.
No user funds were lost. What changed was the model on offer: the firmware on your device now had a documented pathway out for encrypted secrets, and holders had to decide whether they trusted that pathway to stay opt-in.
The December 2023 Connect Kit exploit
On December 14, 2023, attackers pushed a poisoned version of Ledger's Connect Kit to NPM, the library dApps use to let Ledger owners connect through a browser. The path in was social: a former Ledger employee's NPMJS account was phished, and the attacker used the session token to bypass two-factor login. Versions 1.1.5, 1.1.6, and 1.1.7 shipped the Angel Drainer payload into any site loading Connect Kit from CDN without pinning a version.
Zapper, SushiSwap, Kyber, Revoke.cash, Balancer, and Phantom's front end all pulled the compromised code and served it to users. The malicious script asked visitors to sign a transaction that drained approved tokens. Ledger shipped a fix (1.1.8) about five hours after the poisoned build went live, with the actual drain window closer to two hours. CoinDesk reported roughly $484,000 in losses across a few hundred wallets, and Ledger committed to reimbursement.
Two takeaways matter here. Holders who reviewed each transaction on their device screen before signing had a chance to catch the drainer's approval, because the target address and amount looked wrong; anyone who blind-signed lost funds. The underlying weakness was a Node package registry account with a stolen session, a soft spot that touches almost every crypto project shipping an SDK.
The January 2026 Global-e leak
On January 4, 2026, Ledger disclosed that its e-commerce checkout partner Global-e had been compromised and that customer order data (names, contact information, product purchases) had been accessed by an unauthorized party. As with 2020, no crypto assets, passwords, or seed phrases were touched, and only shoppers who checked out through Global-e were affected. The pattern rhymes with the earlier breach: the wallet chip is fine, and the address list is what leaks. Ledger warned again that any package or paper letter claiming to be from the company should be treated as fraud.
What each Ledger hack chapter changed
The 2020 database leak taught the industry that a hardware wallet company doubles as a target-rich address book for phishing crews. Ledger moved e-commerce infrastructure and expanded their security team, but the leaked data outlived every fix.
The Recover controversy split the market. Some users trusted Ledger's engineering discipline and accepted the opt-in service; others left for wallets whose firmware had no such pathway. The debate ended without a "hack" in the standard sense, but it changed how buyers read hardware-wallet marketing: the words "never leaves the chip" now come with a footnote about which code paths exist even when nobody's calling them.
The Connect Kit exploit shifted focus toward supply-chain hygiene. NPM package pinning and a hard preference for wallets that force on-device transaction review became standard advice in security postmortems that year. The 2026 Global-e leak was another reminder that third-party checkout and analytics partners can breach a brand without touching the brand's own systems.
Across all four events, one weakness stayed consistent. Every hardware wallet on the market, Ledger included, still ships a 24-word seed phrase as the ultimate backup, and most users write those words onto a piece of paper or a metal plate. Paper burns and gets stolen; a metal plate survives fire but still concentrates the entire wallet into one object that can be found or lost. That's the shared weakness no hardware wallet company has patched away yet.
Where Ryder One fits
We built Ryder One as a different bet on the two layers where Ledger's incidents played out most.
On the signing layer, Ryder One shows every transaction on a 1.6-inch AMOLED touchscreen driven by the EAL6+ Infineon SLC38 secure element. What you see on the device is what you sign. If a Connect-Kit-style drainer asks for a token approval to a strange spender address, the address is on your screen before you approve, and blind signing isn't possible because the device has no code path to sign what it can't render. Connectivity is NFC-only: no USB port to abuse, no Bluetooth radio to attack over the air. Ryder's firmware was independently audited by Halborn, whose report is public.
On the backup layer, TapSafe Recovery replaces the paper-seed dependency with a share model. The Recovery Tag holds 50% of the wallet as an IP69K-rated NFC token, and the paired phone holds the other 50%, stored encrypted in your own iCloud or Google Drive rather than on the handset itself. Optional Recovery Contacts can each hold a 25% share for social recovery. No one component reconstructs the wallet alone, and the BIP-39 seed phrase stays available on the device as a last resort, so you're never locked to Ryder hardware. Paper seed backups are fragile; metal plates upgrade the medium but still leave one object holding the whole wallet; TapSafe removes that concentration point.
Ryder One is $229 and ships with the Recovery Tag, a Qi wireless charger, and a travel pouch. Setup takes about 60 seconds over NFC.
Bottom line
Ledger has had four publicly confirmed incidents since 2020, and each is worth understanding on its own terms. The two data breaches (2020 and 2026) exposed customer contact information but never touched the secure element. Recover was a design controversy that reshaped how buyers evaluate firmware promises. Connect Kit was a supply-chain compromise that briefly turned trusted dApps into wallet drainers.
The takeaway for anyone weighing a hardware wallet today isn't that any brand is uniquely unsafe; it's that every hardware wallet still concentrates too much of its backup story into a paper seed phrase that a phishing letter is designed to extract. If you want a device that shows you every transaction before you sign and a backup model built as a share rather than one copy on paper, Ryder One is what we built for that job. Self-custody works better when the backup layer is designed for how people keep things safe over years.
SEO
- Target keyword: ledger hack
- SEO title: Every Ledger Hack Since 2020 and What Each Changed. (50 chars)
- Meta description: Every Ledger hack since 2020: the 2020 e-commerce breach, the 2023 Recover row, the Dec 2023 Connect Kit drain, the 2026 Global-e leak, and what changed. (156 chars)
Share: