Ledger Donjon uncovered a MediaTek vulnerability that extracts Android pockets seed phrases in underneath 45 seconds, affecting tens of millions of units. CVE-2025-20435.
Ledger Donjon has uncovered a severe MediaTek vulnerability. It lets attackers pull pockets seed phrases from Android telephones in seconds. The telephone doesn’t even must be on.
Charles Guillemet, posting as @P3b7_ on X, broke the findings publicly. He confirmed that @DonjonLedger had as soon as once more found a flaw with severe attain. In response to Guillemet on X, consumer knowledge, together with PINs and seed phrases, may be extracted in underneath a minute, even from a powered-off machine.
The size right here issues. Tens of millions of Android telephones run MediaTek processors. Trustonic’s Trusted Execution Surroundings can be caught on this.
Your Cellphone Off Means Nothing Now
As Guillemet tweeted on X, the Ledger Donjon staff plugged a Nothing CMF Cellphone 1 right into a laptop computer. Inside 45 seconds, the telephone’s foundational safety was gone. No sophisticated setup. No particular {hardware}. Only a laptop computer connection and a timer.
Value a learn: Crypto safety threats are quickly escalating heading into 2026
The exploit by no means even touched Android. As Guillemet posted on X, the assault routinely recovered the PIN, decrypted machine storage, and pulled seed phrases from the preferred software program wallets. All earlier than the working system loaded.
That’s not a small hole. That could be a structural failure.
The Chip Structure Drawback No person Needed to Admit
Normal-purpose chips commerce safety for velocity and ease. Guillemet made that time immediately in his X thread. A devoted Safe Factor retains secrets and techniques remoted from every thing else on the machine. MediaTek chips weren’t constructed that approach. Trustonic’s TEE sits inside the identical chip dealing with on a regular basis duties. Bodily entry collapses that boundary.
You may additionally like: How 2025 grew to become crypto’s most damaging yr for safety
This isn’t the primary time researchers have questioned smartphone safety for crypto customers. It retains coming again to the identical structure hole. Comfort chip versus safety chip. They don’t seem to be the identical factor.
Accountable Disclosure, Then the Repair
Ledger Donjon didn’t launch this publicly with out warning. As Guillemet confirmed on X, the staff adopted a strict accountable disclosure course of with all related distributors. MediaTek confirmed it supplied a repair to OEMs on January 5, 2026. The vulnerability is now publicly listed as CVE-2025-20435.
Should learn: Ledger eyes New York itemizing as crypto pockets hacks surge
OEMs acquired the repair. Whether or not these patches reached finish customers is one other query totally. Android fragmentation is an actual drawback. Older units from smaller producers typically sit unpatched for months.
Why Software program Wallets Took the Hit
Seed phrases saved on a software program pockets dwell contained in the machine. They rely totally on the safety of the chip beneath. When that chip fails, every thing above it fails too.
Guillemet’s thread on X closed with readability on motive. The analysis was not finished to create worry. It was finished so the trade may repair the vulnerability earlier than attackers obtained there first. That window is now closed, a minimum of for this particular flaw.
Associated: Cross-platform pockets drainers are getting tougher to detect
Software program wallets on Android have at all times carried this threat. The MediaTek vulnerability simply put a quantity on it. Forty-five seconds. That’s all it took.