Editorial · Q2 2026 Self-Custody Audit
The 10 best hardware wallets for Bitcoin, reviewed by a custodian who owns each.
Air-gap is the new default. The Bybit $1.5B theft in February 2025 was executed against a connected signing flow, and the hardware-wallet market reorganized around it. We benchmarked 10 ranked devices plus 4 honorable mentions on price, secure-element certification, open-source firmware and the last 24 months of incident history.
Quick picks for 2026.
Six profiles, six picks. The full ranking and 24-month incident disclosures are below.
How we ranked them (no affiliate weights, no marketing fluff).
Six criteria, equal weight. Every wallet on this list is one we own and have set up at least twice. Security incidents in the last 24 months affect the score directly; reimbursement and transparency in response affect it positively.
Secure element + firmware
Certified secure-element chip (EAL5+ minimum, EAL6+ preferred, EAL7 noted). Firmware transparency, reproducible builds, audit history.
Connectivity model
USB only, USB+BLE, NFC-only, QR-only air-gap. Each model has a different threat profile. Bybit’s Feb 2025 attack made QR-only the new gold standard for cold storage.
Open source posture
Full source (firmware + companion app), partial, or closed. Bitcoin-first users treat fully open as a hard requirement.
Last 24 months
Connect-Kit, Recover backlash, support-portal phishing, supply-chain demos. Score adjusts for what happened and how the vendor responded.
Coverage
Bitcoin-only is a feature, not a limitation, for many threat models. Multi-chain adds attack surface but unlocks DeFi.
Setup & daily use
Setup time, companion app quality, mobile parity, partner-software support (Sparrow, Specter, Nunchuk for BTC; MetaMask, Rabby for EVM).
The top 3 , our picks.
30 seconds, three picks. Scroll for the receipts.
Trezor Safe 5
- Color touchscreen with haptic feedback, Gorilla Glass 3
- First Trezor with a true secure element (Optiga Trust M)
- Full firmware open source, SLIP-39 Shamir native
Ledger Nano X
- Broadest ecosystem support of any hardware wallet
- Best mobile experience via Bluetooth + iOS/Android Ledger Live
- ST33 EAL5+ secure element, BOLOS OS
NGRAVE Zero
- Only consumer wallet with EAL7 secure-element certification
- 4″ touchscreen, fingerprint, IP55 dust/water rated
- No USB data path, no Bluetooth, no NFC, no WiFi
Wallet × feature , what does what.
Pick the matrix row that matches your threat model. ✓ = native support, ◐ = limited or partial, − = not supported.
| Wallet | Price | Air-gap | Open source | Secure element | Bluetooth | Coins | |
|---|---|---|---|---|---|---|---|
| Ledger Nano X | $149 | − | closed | EAL5+ | ✓ | 5,500+ | Buy → |
| Trezor Safe 5 | $169 | − | full | EAL6+ | − | 9,000+ | Buy → |
| NGRAVE Zero | $398 | QR | closed | EAL7 | − | ~1,500 | Buy → |
| BitBox02 | $118 | − | full | dual chip | ◐ Nova only | BTC or 1,500+ | Buy → |
| Tangem Wallet 2.0 | $55 (2-card) | NFC | app only | EAL6+ | − | 81 chains | Buy → |
| COLDCARD Q | $249 | QR+SD | firmware | dual SE | − | BTC only | Buy → |
| Foundation Passport Core | $199 | QR+SD | full | ATECC608A | − | BTC only | Buy → |
| Keystone 3 Pro | $149 | QR | firmware | triple SE | − | 5,500+ | Buy → |
| Cypherock X1 | $159 | USB+NFC | firmware | EAL6+ | − | 9,000+ | Buy → |
| Blockstream Jade Plus | $149-169 | optional | full | virtual SE | ✓ optional | BTC + Liquid + LN | Buy → |
Prices verified May 27 2026 direct from vendor stores. “Air-gap” = device cannot exchange data without QR codes or microSD. EAL = Common Criteria Evaluation Assurance Level (higher is better). FOSS posture is per public GitHub repos and reproducible-build status as of publication.
6 self-custody concepts you actually need to know.
Skip the 30-page manuals. These six concepts decide whether a hardware wallet is actually protecting you.
Secure element (SE)
"A chip designed to resist physical extraction"
Tamper-resistant chip that stores the private key and signs transactions in isolation from the main MCU. Certified to Common Criteria EAL5+ minimum, with EAL6+ now standard and EAL7 in only one consumer device.
Air-gap signing
"QR codes and microSD only. No USB, no radios"
Device physically incapable of data exchange. Transactions are passed in and out via camera-scanned QR or microSD card. Eliminates the entire class of attack used in the Bybit Safe{Wallet} compromise.
Open source firmware
"Source code on GitHub, builds are reproducible"
The firmware running on the wallet is auditable by anyone. Reproducible builds mean an independent reviewer can prove the running binary matches the public source. Bitcoin-first users treat this as a hard requirement.
Shamir / distributed-key backup
"Split the key across N cards, need K to recover"
Instead of a 12 or 24-word seed that must be protected as a single secret, the key is mathematically split across multiple physical cards or shares. Recovery needs a quorum (e.g., any 2 of 5). No single point of failure.
PSBT (Partially Signed Bitcoin Transactions)
"A standard for wallets that don't trust the same software"
BIP-174 format that lets multiple wallets cooperate to sign a transaction without trusting each other or sharing keys. Foundation of multi-sig and air-gapped Bitcoin signing.
Passphrase / 25th word
"An optional secret on top of the seed"
An extra string the user remembers, added to the seed phrase to derive a completely separate wallet. Forget it and the wallet is gone forever. Use it and a physical seed extraction is useless without you.
All 10 Hardware Wallets Compared
| # | Wallet | Best for | Price | Air-gap | Open source | Score | |
|---|---|---|---|---|---|---|---|
| 01 | LDG Ledger Nano X | Multi-chain DeFi | $149 | USB+BLE | closed | 9.2 | Try → |
| 02 | TZR Trezor Safe 5 | FOSS touchscreen | $169 | USB only | full | 9.1 | Try → |
| 03 | NGR NGRAVE Zero | Highest cert | $398 | QR only | closed | 8.9 | Try → |
| 04 | BTB BitBox02 | Swiss FOSS minimalist | $118 | USB | full | 8.8 | Try → |
| 05 | TGM Tangem Wallet 2.0 | Gift / non-technical | $55 | NFC | app only | 8.7 | Try → |
| 06 | CLD COLDCARD Q | BTC power user | $249 | QR+SD | firmware | 8.7 | Try → |
| 07 | PSP Foundation Passport Core | BTC + open source | $199 | QR+SD | full | 8.6 | Try → |
| 08 | KST Keystone 3 Pro | Multi-chain air-gap | $149 | QR | firmware | 8.5 | Try → |
| 09 | CPH Cypherock X1 GEEKCON 2025 disclosure | Seedless Shamir | $159 | USB+NFC | firmware | 8.0 | Try → |
| 10 | JAD Blockstream Jade Plus | BTC budget multi-mode | $149-169 | optional | full | 8.4 | Try → |
Score weights: security/SE 25%, incidents 20%, open source 15%, air-gap 15%, coin coverage 10%, UX 15%. Ledger takes #1 despite the Connect-Kit incident because the hardware was unaffected and the company reimbursed all victims within 48 hours; Cypherock drops to 9th because of the unresolved researcher engagement after the GEEKCON 2025 disclosure.
Five incidents every self-custody buyer should already know.
Every wallet on this list with a material exploit, breach, or controversy in the last 24 months is disclosed below. Two of these (Ledger, Cypherock) belong to ranked wallets. The score reflects each incident.
🔴 Ledger Connect-Kit. Npm supply-chain attack
A former Ledger employee was phished. The attacker pushed malicious versions 1.1.5 through 1.1.7 of the Connect-Kit npm package, which is loaded by dozens of dApps including Zapper, SushiSwap, Phantom, Balancer and Revoke.cash. Visitors who interacted with those dApps during the ~40-minute window saw a fake wallet-drainer modal injected into the page. The Ledger hardware itself was not compromised: the attack happened at the JavaScript-library layer between the dApp UI and the wallet. Ledger patched within ~40 minutes and reimbursed victims. Full timeline at BleepingComputer and Ledger’s own incident report.
Funds: Reimbursed in full · Library audit + signing process overhauledWhy Ledger Nano X is still ranked #1: The hardware design and secure element worked exactly as intended. The failure was in employee access controls and npm package signing, both of which Ledger restructured publicly. Nothing here changes the wallet’s security model for users who don’t interact with affected dApps during the incident window.
🟡 Ledger Recover. Firmware-level seed exfiltration controversy
Ledger announced an optional paid recovery service that splits an encrypted copy of the seed phrase across three third-party custodians for users who pass ID verification. The backlash was immediate: critics argued that the firmware capability to extract the seed should not exist at all on a hardware wallet, even if the user has to opt in. A class-action lawsuit followed in 2024. The service launched but remains opt-in.
No funds lost · Lasting reputational hit with self-custody puristsWhy it still matters: Recover did not change the technical security of users who don’t enable it. But it set a precedent that the firmware can exfiltrate seed material under user instruction. Bitcoin-first buyers who treat that capability as disqualifying continue to choose Trezor, BitBox or Foundation instead.
🟡 Trezor support-portal phishing. Twice
In January 2024, a third-party ticket portal that Trezor used for support was breached, exposing names and email addresses of approximately 66,000 users. No seed material was extracted (the seed never leaves the device). In June 2025, attackers found a way to abuse Trezor’s ticket auto-reply system to send phishing emails *from* [email protected], prompting users to “verify” their seed via a malicious form. The hardware was untouched; the social-engineering surface is the lesson.
No funds lost via hardware · Customer-data leakage remains a phishing vectorWhy Trezor is still #2: The wallet itself is fully open source with an EAL6+ secure element. Support-portal hygiene is a vendor operations issue, not a security architecture issue. Trezor pushed transparent post-mortems and migrated off the affected portal.
🟡 Cypherock GEEKCON 2025. Supply-chain compromise demo
Security research collective DARKNAVY chained multiple vulnerabilities to simulate a supply-chain attack against the Cypherock X1: firmware tampering plus secure-boot bypass to capture mnemonics generated on a compromised device. Cypherock pushed patches to GitHub silently rather than issuing a coordinated disclosure. The security community publicly criticized Cypherock’s response, not the underlying patch quality.
No real-world theft · Researcher engagement publicly criticizedWhy Cypherock is still on the list (at #9): The distributed-key Shamir model remains a legitimate technical contribution. The patches landed. But the response damaged trust with security researchers, and that matters for a category where the threat model is “vendor competence under attack.” Score reflects it.
🟡 Ledger Nano X. $214,000 retail-fraud drain
A user purchased a Ledger Nano X from a fake “Ledger Thailand” Lazada storefront. The device was pre-configured with an attacker-controlled seed. The user funded the wallet and the attacker drained it. Ledger’s hardware design was correct; the failure was that the user did not buy direct from the vendor. The incident underscores a rule that applies to every wallet on this list: buy from the vendor’s own website, never from a third-party marketplace.
Funds: Total loss · User error compounded by counterfeit vendorWhy it still affects the score: Ledger’s distribution channels remain a known attack vector that the company has done less than Trezor and Foundation to lock down. Box-seal integrity, Genuine Check at first boot, and direct-only distribution all matter.
🟢 The other 7. No material incidents in 24 months
NGRAVE Zero, BitBox02, Tangem, COLDCARD Q, Foundation Passport Core, Keystone 3 Pro, Blockstream Jade Plus. All have clean records across the 24-month scoring window. Two technical disclosures a useful note: Ledger Donjon disclosed a Trezor Safe 3 vulnerability in March 2025 (patched promptly, no theft); and snail-mail phishing campaigns in 2025 targeted Trezor and Ledger customers by name (customer-data weaponization, not hardware compromise).
No protocol or hardware-level incidents in scoring windowAll 10 wallets, reviewed in detail.
Founder backgrounds, secure-element specs, real test setup, what worked, what didn’t. Every card links out only to its official referral or vendor store.
1. Ledger Nano X ★ Editor’s pick
+ What worked
Best-in-class mobile experience via Bluetooth Low Energy, with iOS and Android Ledger Live parity. Ecosystem support is unmatched: 5,500 direct integrations plus another 15,000+ via MetaMask, Rabby, Phantom and others. Setup takes 8 minutes. The hardware itself has never been compromised in 11 years on the market.
− What didn’t
The Connect-Kit incident (Dec 2023) was a Ledger supply-chain failure even though the hardware was not at fault. The Recover service still divides the Bitcoin community. Closed-source firmware is a hard no for purists. And the Jan 2025 Lazada fraud showed that distribution-channel hygiene needs work.
Seed: 24 words
Recover: Opt-in (off)
Apps installed: BTC, ETH, SOL
BLE pair: iPhone
2. Trezor Safe 5 ★ Best FOSS
+ What worked
First Trezor with a true secure element (older Trezors relied on MCU + passphrase). Color touchscreen is responsive and the haptic feedback is genuinely useful. SLIP-39 Shamir Backup is supported natively (alternative to a single 12 or 24-word seed). Trezor Suite is the most polished companion app on this list.
− What didn’t
No Bluetooth, no battery, no air-gap mode. Flexibility lags Jade Plus and Passport. IPhone support is read-only. The Jan 2024 + June 2025 support-portal phishing incidents remind users that vendor operations matter even when the hardware is sound.
Reproducible: ✓ Verified
SE firmware: Optiga vendor
SLIP-39: Native
Suite: Desktop + Android
3. NGRAVE Zero
+ What worked
True air-gap with no radios of any kind, no USB data path, no Bluetooth, no NFC, no WiFi. The build quality is the best on this list. Phone-sized, dust- and splash-resistant (IP55), fingerprint sensor that works at the first touch. The included GRAPHENE stainless-steel seed backup is the cleanest physical-seed-storage solution money can buy. EAL7 secure-element certification is the highest tier achieved by any consumer device on the market and was audited under Common Criteria rules with results published. Zero hardware incidents in 24 months and no public CVE on the LIQUID companion app either.
− What didn’t
Closed firmware at $400 is a hard sell. The Bitcoin-only crowd that values this level of security usually also values reproducible builds, and NGRAVE doesn’t ship them. Bitcoin-specific tooling (PSBT workflows, Sparrow/Specter/Nunchuk compatibility) lags Foundation Passport Core at half the price. The LIQUID app supports ~1,500 coins, not the 5,500+ on Ledger or 9,000+ on Trezor. Sourcing from outside the EU sometimes runs into a 4-6 week shipping window.
USB data: None
Cert level: EAL7
Seed backup: GRAPHENE steel
App: LIQUID mobile + QR
4. BitBox02
+ What worked
The Bitcoin-only edition removes the entire altcoin attack surface for users who don’t need it. The dual-chip design isolates the seed on the MCU with the ATECC608A acting as a co-processor for cryptographic operations, a different model from the single-SE designs on Ledger and Trezor. Encrypted microSD backup means no 24-word phrase to write down. Swiss-quality build, fully open source on GitHub with reproducible builds verified by third parties. Tor support and coin-control are built into the desktop app. The newer BitBox02 Nova edition adds Bluetooth Low Energy via an encrypted “Whisper” protocol for iOS, which is the only credible way to use a fully open-source wallet on iPhone in 2026.
− What didn’t
Touch sliders take getting used to. The first 10 minutes of setup feel awkward, especially when entering the optional passphrase. Coin coverage on the Multi edition lags Ledger and Trezor. Brand recall is lower than the big two, so finding YouTube setup walkthroughs requires more digging. The Bitcoin-only edition cannot be switched to Multi later, so the choice is permanent at purchase.
MCU: Encrypted seed
Backup: microSD (included)
Variants: BTC-only / Multi / Nova
App: BitBoxApp + Tor
5. Tangem Wallet 2.0
+ What worked
The form factor is genuinely novel: a credit-card-sized NFC card with no screen, no battery, no firmware update cycle. Optional seedless mode keeps the key on the card forever, never exported. Multi-card redundancy means losing one card doesn’t lose the wallet. The setup-to-first-transaction time is under five minutes. By far the fastest on this list.
− What didn’t
No screen means you have to trust the phone’s display when signing. Lose all cards and the wallet is gone (so the redundancy *is* the backup, which trips up new users). The chip firmware is closed by chip-vendor restriction.
Card 2: Backup (full copy)
Card 3: Backup (optional)
Mode: Seedless or seed-based
App: Tangem iOS / Android
6. COLDCARD Q
+ What worked
Dual-vendor secure elements means a compromise of one chip vendor does not break the device. The full QWERTY keyboard makes passphrase entry tolerable for the first time. Duress PIN (decoy wallet) and brick-me PIN (destroys everything) are features that matter in adversarial threat models. Works with Sparrow, Specter, Nunchuk, BlueWallet, Electrum, Wasabi, BTCPay and Bitcoin Core via PSBT.
− What didn’t
Steep learning curve. This is the wallet for people who already know what PSBT means. 93 grams plus AAA batteries makes it stationary, not carry-around. No altcoin support, which is intentional.
SE 2: Maxim DS28C36B
Air-gap: QR + microSD
Duress PIN: Decoy wallet
PSBT: Native
7. Foundation Passport Core ★ Best BTC-only FOSS
+ What worked
The keypad UX is the most elegant on this list. Entering a passphrase actually feels natural. Assembled in the USA with documented supply chain. The Envoy companion app is the best mobile experience for an air-gapped wallet. Works with every Bitcoin software wallet that supports PSBT.
− What didn’t
Some confusion in 2026 between Passport Core (this device, air-gapped FOSS) and Passport Prime (the newer Bluetooth-enabled SKU launched 2026). Bitcoin-only limits utility for diversified portfolios. Replaceable battery is a feature, but it’s a Nokia BL-5C. Getting harder to find in stores.
Reproducible: ✓ Verified
Air-gap: QR + microSD only
Built in: USA
App: Envoy mobile + PSBT
8. Keystone 3 Pro
+ What worked
Fingerprint auth on a true air-gapped wallet is genuinely useful, especially compared to entering an 8-digit PIN every time. Supports three simultaneous wallets with separate passphrases on the same device (one decoy, one main, one travel). Anti-tamper auto-wipe if the device is forced open mechanically. The triple-SE stack means a compromise of any single chip vendor (Microchip ATECC608B, Maxim DS28S60, Maxim MAX32520) doesn’t break the wallet. Integrates with MetaMask, Rabby, Solflare, Keplr, BlueWallet and Sparrow via QR scan. Firmware open on GitHub with verified builds.
− What didn’t
QR-only signing adds friction for high-frequency users. Every transaction is two devices and two scans, which adds 30-60 seconds per action versus a connected wallet. Native staking flows for proof-of-stake chains lag Ledger‘s MetaMask-integrated EVM experience. The metal frame is heavier than the spec sheet suggests (~150g). The Keystone Hub companion app on desktop is functional but not as polished as Ledger Live or Trezor Suite.
SE 2: DS28S60 (TPM)
SE 3: MAX32520 (fingerprint)
Wallets: 3 simultaneous
Anti-tamper: Auto-wipe
9. Cypherock X1 GEEKCON 2025 disclosure
+ What worked
The only consumer wallet that splits the private key across 5 Shamir shares (need any 2 of 5 to recover). No seed phrase to lose or steal. Geographic distribution of key material is built in by design. Decrypt’s review and several others rated the setup experience as the best in the category for users who hate writing down 24 words.
− What didn’t
DARKNAVY’s GEEKCON 2025 demo chained vulnerabilities to simulate firmware tamper + secure-boot bypass. Cypherock pushed silent GitHub patches rather than running a coordinated disclosure. The security community’s public criticism of the response was the central issue. Setup complexity is genuine. 5 components means 5 things to keep track of.
Cards: 4 × NFC
Recover: any 2 of 5
Seed phrase: None. Never exists
App: cySync desktop + mobile
10. Blockstream Jade Plus
+ What worked
Cheapest Bitcoin-focused multi-mode wallet that supports both daily-use Bluetooth and cold-storage air-gap. Native Liquid Network and Lightning support through Blockstream Green is unique in the category. Genuine Check attestation at first boot. Fully open source with verifiable builds.
− What didn’t
No certified hardware secure element. Blockstream uses an open-source “blind oracle” protocol instead. Approach is novel and fully auditable but has not been stress-tested at the scale of EAL6+ certified chips. Some Bitcoin maximalists prefer Passport or COLDCARD for that reason.
Bluetooth: Mobile (BLE)
QR: Camera in device
Air-gap: Optional cold mode
App: Blockstream Green + Sparrow
4 honorable mentions , specific niches.
These didn’t make the ranked top 10 but solve real problems the main list doesn’t fully cover.
5 wallets to avoid buying new in 2026.
These models still function if you already own one, but they should not show up on a 2026 shopping list.
7 trends reshaping hardware wallets in 2026.
The Bybit $1.5B Safe{Wallet} compromise (Feb 2025) and the rise of QR-only signing reorganized the category in 12 months. Here’s what is driving it.
Buying decision tree , five user profiles.
Skip the rankings. Find your row.
Cheap, on-screen confirmation, well-documented setup. Or Jade Plus at $149 for optional air-gap mode. Or Tangem 2-card pack at $55 for tap-to-sign simplicity.
5,500 direct coins plus 15,000+ via MetaMask, Rabby, Phantom. Best mobile experience via Bluetooth. Trezor Safe 5 is the FOSS alternative if BLE is a hard no.
Air-gapped, fully open source, PSBT-native, no altcoin attack surface. COLDCARD Q at $249 if you want dual-vendor secure elements and a full QWERTY keyboard for passphrase entry.
Two more profiles: Non-technical family gift recipient. Tangem 2.0 at $55 (tap-to-sign, no seed phrase to lose, ceramic durability). Institutional / multi-sig setup. COLDCARD Q + SeedSigner co-signers for vendor-risk separation, or Cypherock X1 + Passport for distributed Shamir + open-source pairing.
6 red flags that should make you walk away.
Buying from Amazon or Lazada or eBay
Every wallet on this list has a direct-from-vendor purchase page. Marketplaces are the #1 source of pre-configured tampered devices. The Jan 2025 Lazada Nano X fraud drained $214K from one buyer. Direct only.
Devices that ship with a “starter seed”
A legitimate hardware wallet generates the seed on the device, in front of you, on first boot. If yours arrives with a printed seed phrase in the box, return it. That’s a counterfeit or a scam.
Wallets without a verifiable secure element
Cheap “hardware wallets” from no-name vendors often use commodity microcontrollers with no tamper resistance. EAL5+ minimum, EAL6+ preferred. If the spec page won’t tell you, the chip probably isn’t certified.
Closed-source companion apps for BTC-only users
Bitcoin-first users should verify that the desktop software (Trezor Suite, Sparrow, Specter, Nunchuk, Ledger Live) is auditable. Closed apps + closed firmware = no way to detect a malicious update.
“24-word verification” emails or letters
No legitimate wallet vendor will ever ask for your seed phrase. The 2025 snail-mail phishing campaign sent physical letters to known Trezor and Ledger customers requesting “seed verification” via QR code. It is always fraud.
Discontinued models on the used market
Ledger Nano S, Trezor Model One, Trezor Model T, KeepKey, original Jade. Even if cheap, they no longer receive new firmware features and many no longer get app updates. Buy current generation.
Your first hardware wallet, in 5 steps.
If you’ve never set one up, this is the safest cold-start. Works the same on Ledger, Trezor, BitBox, Foundation, Keystone, Jade, Tangem.
- 01Order direct from the vendor.
ledger.com, trezor.io, bitbox.swiss, foundationdevices.com, keyst.one, cypherock.com, store.blockstream.com, coldcard.com, tangem.com. Never a marketplace. Verify the tamper seal on the box; if anything looks disturbed, refuse the package.
- 02Run Genuine Check or vendor authenticity check at first boot.
Every wallet on this list has a vendor-side process that verifies the device is genuine and the firmware unmodified. Ledger Live, Trezor Suite, BitBoxApp, Envoy, Keystone Hub. All run this on first connection. Skip it and you risk a counterfeit.
- 03Generate the seed on the device, never type it on a phone or computer.
The whole point of a hardware wallet is that the seed never touches a connected device. Write all 12 or 24 words on the included recovery card. Verify each word twice. Never photograph the seed, never type it into a password manager, never email it to yourself.
- 04Send a small test transaction first.
Before moving real funds, deposit $20-50 and then withdraw it back to a different address you control. Confirm both transactions on the device screen. If anything is wrong with setup, you find out at $50, not $50,000.
- 05Store the seed in two separate physical locations.
Paper in a fire-resistant safe at home plus a stainless-steel backup at a second location (relative’s house, bank box, secure office). Most hardware-wallet losses are not theft, they are the user losing both the device and the seed in the same disaster.
Pick the wallet for your situation.
Skip the rankings. Find your row.
7 frequently asked questions.
Which hardware wallet is best for Bitcoin in 2026?
For new BTC holders on a budget: Trezor Safe 3 at $59 or Blockstream Jade Plus at $149. For Bitcoin maximalists with $10K+: Foundation Passport Core at $199 or COLDCARD Q at $249 (both fully air-gapped, fully open source, PSBT-native). For multi-chain DeFi users who hold BTC alongside ETH and Solana: Ledger Nano X.
What was the Ledger Connect-Kit hack and is Ledger hardware safe?
On Dec 14 2023, a former Ledger employee was phished and the attacker pushed a malicious version of Ledger’s Connect-Kit npm package, draining roughly $600,000 from users of Zapper, SushiSwap, Phantom, Balancer and Revoke.cash. Ledger patched in about 40 minutes and reimbursed victims. The Ledger hardware itself was not compromised.
Are hardware wallets actually open source?
Some are, most are partially. Fully open source firmware and app: Trezor Safe 5, BitBox02, Foundation Passport Core, COLDCARD Q, Blockstream Jade Plus, SeedSigner. Partially: Keystone 3 Pro, Cypherock X1. Closed: Ledger Nano X and Stax, NGRAVE Zero.
Is air-gapped really safer than USB or Bluetooth?
Yes for most threat models. Air-gapped wallets sign transactions via QR codes or microSD only. No USB data path, no Bluetooth, no wireless. That eliminates entire categories of attack. Including the Bybit-style compromise where a malicious UI was injected into a connected signing flow in February 2025.
What is EAL6+ and EAL7 and does it matter?
EAL stands for Evaluation Assurance Level, the Common Criteria security certification scale used for the chip inside the wallet. EAL5+ is the entry tier (Ledger Nano X). EAL6+ is the modern standard (Trezor Safe 5, Ledger Stax, Tangem, Cypherock). EAL7 is currently shipping in only one consumer device: NGRAVE Zero. In practice the difference between EAL6+ and EAL7 is marginal for self-custody; supply-chain hygiene and software design matter more.
Should I avoid Ledger after the Recover controversy?
That is a personal call. Ledger Recover is an optional paid service introduced in 2023 that splits an encrypted copy of your seed phrase across three third-party custodians. Critics argue that the firmware capability to extract the seed should not exist at all. Ledger says Recover requires explicit opt-in and ID verification. Users who do not enable Recover are not affected technically.
Which discontinued wallets should I NOT buy in 2026?
Ledger Nano S (2016 model) reached end-of-life in June 2025. Trezor Model One and Model T were removed from the e-shop on January 8 2026. KeepKey has stagnated under post-ShapeShift-DAO stewardship. The original Blockstream Jade (non-Plus) is superseded by Jade Plus. Existing units still function. Just do not buy new ones.
