Ledger Donjon

Donjon is the Security Research team at @Ledger. Follow us to get the the latest news from our research. More info on our blog: ledger-donjon.github.io

@BtcpayServer 🤝

BTCPay 2.3.6 is out! New features, bug fixes and security patches. Huge thanks to @DonjonLedger for using their new AI security agent to review our project ahead of release and all contributors who made it happen.

🚨Only days after Coruna, one of the first large-scale iOS exploit kits, DarkSword is already being exploited in the wild. Coruna showed the pattern: state-grade iOS exploits don’t stay in government hands. They leak, spread, and end up in broader ecosystems. One visit to a compromised site, and your phone, including your crypto, is gone. DarkSword confirms it. - Another state-grade exploit chain. - Already reused by multiple actors. - Already deployed at scale via watering-hole attacks. - Targets so far: Ukraine, Saudi Arabia, Turkey, Malaysia. - Victim model: anyone who visits a compromised but legitimate website. ⚠️No click. No warning. Full device compromise. Data exfiltration. Real-time surveillance. Total loss of control. Affected: iOS 18.4 → 18.7. This used to be rare. Targeted. Surgical. Now it’s industrialized. 👉Two major iOS exploit chains in less than a week isn’t noise, it’s a shift. From now, you should assume your phone is compromised, Stop treating it like a safe. x.com/P3b7_/status/2…

Our phones were never designed to be secure vaults. The @DonjonLedger proves that every single day. For years, we’ve trusted our phones to protect everything: our data, our identity, our money. But smartphones are inherently fragile. They’re multipurpose, always-connected devices built for convenience first — not hardened security. That model may have been enough for the early internet of information. It doesn’t work for the internet of value. When a single vulnerability can put hundreds of millions of devices at risk, it’s a reminder of a simple truth: the device you use every day should not be the final line of defense for your digital value. 875 million Android devices can be compromised in under 60 seconds. That’s exactly why your phone should never be where your value ultimately lives. Pair it with a @Ledger signer and use the Ledger Wallet app. shop.ledger.com/?srsltid=AfmBO… forbes.com/sites/daveywin…

🚨 @DonjonLedger has struck again discovering a MediaTek vulnerability potentially impacting millions of Android phones. Another reminder that smartphones aren’t built for security. Even when powered off, user data - including pins & seeds - can be extracted in under a minute.

@Ledger 👋🙏

Every morning, a team of elite hackers walks into Ledger HQ. Their job: strengthen the security of every device we ship: and raise the standard for the entire ecosystem. This is the Ledger Donjon 🧵

Exploiting Keyspace Reduction and Relay Attacks on NFC cards. 🔓📡 Proud to see @DonjonLedger’s name on this research — thanks to @doegox. Go read it: breakmeifyoucan.com

What if a hacker could gain total control of your smartphone, not via malware, but the hardware itself? The @DonjonLedger discovered a potentially unpatchable flaw impacting MediaTek Dimensity 7300 - a popular Android phone SoC - enabling arbitrary code execution in minutes. Here’s how 🚨

⚠️ Our white hat team, the @DonjonLedger, discovered a flaw in Tangem cards that makes brute force attacks possible. As always, the Donjon followed responsible disclosure to inform Tangem, user protection is our priority. We can now reveal our findings in full: 🧵👇

Struggling to explore waveforms with millions of points? Discover TurboPlot ⚡ 👉 github.com/Ledger-Donjon/…

Security leaves no room for error, a single variable mishandled, and the entire security model can collapse. We're excited to share an illustration of this through our recent research on the Tangem card. Big thanks to the @Tangem team for their responsiveness and collaboration!

Donjon is at @BlackHatEvents Asia this week! Karim (@k15ab_ ) is presenting his research on using deep learning attribution methods for fault injection attacks. Don't miss his presentation: #i-have-got-to-warn-you-it-is-a-learning-robot-using-deep-learning-attribution-methods-for-fault-injection-attacks-44092" target="_blank" rel="nofollow noopener">blackhat.com/asia-25/briefi…

In this blog post, I share some dangerous practices in deploying Argo CD🦑. Enjoy reading! ledger.com/argo-cd-securi…

DevOps practices are all well and good, but beware of the configuration of the tools that access your production. Find out more about Argo CD misconfiguration in this new blog post. ⏬ ledger.com/argo-cd-securi… #argocd #security #devops #devsecops

Last week at @hardwear_io NL 2024, we showcased some of our attack tools we use in the Donjon, and a live demo of a double fault injection ⚡️⚡️ with the transportable laser bench! Our tools are open-source and presented on our webpage: donjon.ledger.com/tools-suite/

@CryptoSpaces1 @hardwear_io No customs: train from Paris to Amsterdam

@DonjonLedger @hardwear_io How do you explain this at customs?

Last week, the Ledger Donjon team joined the NoLimitSecu 🇫🇷 podcast to share Ledger’s vision on wallet security in episode #475, titled 'Sécurité des wallets'. For English speakers, you can use auto-generated subtitles on youtube.com/watch?v=2BpI6i… #ledger #donjon #CyberSecurity

This week the Donjon brought its transportable laser bench to the jaif.io/2024 conference in Rennes by train 🚄. A proof that a functional Laser Fault Injection bench is not that impossible to see anywhere. Next step in the Village @hardwear_io NL 2024 conference!

During next @hardware_io conference, @DonjonLedger will showcase tools developed and used for Fault Injection Attacks! Pass by in the Village to see a part of our Tool Suite: Scaffold, Silicon Toaster, Laser Studio, QuickLog, Curmea… operating on our transportable laser bench!