The 10 best hardware wallets for Bitcoin, reviewed by a custodian who owns each.
Air-gap is the new default. The Bybit $1.5B theft in February 2025 was executed against a connected signing flow, and the market reorganized around it. We benchmarked 10 ranked devices plus 4 honorable mentions on price, secure-element certification, open-source firmware, and two years of incident history.
Cheapest credible secure-element wallet. Fully open source, two-button UX you’ll learn in 10 minutes.
Buy Trezor Safe 3 →5,500+ direct coins, mobile Bluetooth, the broadest ecosystem. Closed firmware is the trade-off.
Buy Ledger Nano X →Air-gapped, fully open source, PSBT-native, with a genuinely beautiful keypad UX.
Buy Passport Core →NFC card, no seed phrase to lose, 25-year warranty, five-minute setup.
The only consumer wallet at EAL7. True air-gap, no radios of any kind.
Buy NGRAVE Zero →Dual-vendor secure elements, full QWERTY keyboard, PSBT-native cold signer.
Buy COLDCARD Q →A hardware wallet keeps your private key on a dedicated, offline device, so even a fully compromised computer can’t sign a transaction without your physical confirmation. The seed never leaves the device. That’s the whole point, and it’s why self-custody beats leaving coins on an exchange.
Most “best hardware wallet” lists rank by affiliate payout. We own every device here and have set each up at least twice. We scored them on secure-element certification, connectivity model, open-source posture and the last 24 months of incidents, including the Ledger Connect-Kit attack and the Cypherock GEEKCON disclosure that other reviews leave out. Below is the ranking, plus the wallet × feature matrix to match a device to your threat model.
How we ranked them, with no affiliate weights
Six criteria, equal weight. Every wallet is one we own. Security incidents in the last 24 months affect the score directly; reimbursement and transparency in response affect it positively.
Secure element + firmware
Certified SE chip (EAL5+ min, EAL6+ preferred, EAL7 noted), firmware transparency, reproducible builds, audit history.
Connectivity model
USB only, USB+BLE, NFC, or QR-only air-gap. Bybit’s Feb 2025 attack made QR-only the new gold standard.
Open-source posture
Full source (firmware + app), partial, or closed. Bitcoin-first users treat fully open as a hard requirement.
Incidents, 24 months
Connect-Kit, Recover backlash, support-portal phishing, supply-chain demos. Score adjusts for what happened and the response.
Coin coverage
Bitcoin-only is a feature for many threat models. Multi-chain adds attack surface but unlocks DeFi.
Setup & daily use
Setup time, companion-app quality, mobile parity, and partner-software support (Sparrow, Specter, Nunchuk, MetaMask).
Match a device to your threat model
Pick the row that matches what you actually need. Tap a posture below to filter the list to wallets that satisfy it.
| Wallet | Price | Air-gap | Open source | Secure element | Bluetooth | Coins |
|---|
6 self-custody concepts you actually need
Skip the 30-page manuals. These six decide whether a hardware wallet is actually protecting you.
Secure element
Tamper-resistant chip that stores the key and signs in isolation from the main MCU. Certified EAL5+ minimum, EAL6+ standard, EAL7 in one device.
Air-gap signing
Device physically incapable of data exchange. Transactions pass via QR or microSD, eliminating the Bybit-style connected-signing attack class.
Open-source firmware
Firmware auditable by anyone; reproducible builds prove the running binary matches public source. Bitcoin-first users treat it as mandatory.
Shamir backup
The key is split across multiple physical shares; recovery needs a quorum (e.g. any 2 of 5). No single point of failure — no 24-word seed to protect.
PSBT
BIP-174 lets multiple wallets cooperate to sign without sharing keys. The foundation of multi-sig and air-gapped Bitcoin signing.
Passphrase / 25th word
An extra string you remember, added to the seed to derive a separate wallet. Forget it and the wallet is gone; use it and a physical seed extraction is useless without you.
All 10 ranked wallets, side by side
Filter by posture, or tap any column header to sort. Default order is our overall score.
| Wallet ▲ | Score | Price | Air-gap | Open source | Best for |
|---|
Score weights: security/SE 25%, incidents 20%, open source 15%, air-gap 15%, coins 10%, UX 15%. Buy links are AD · sponsored.
Five incidents every buyer should already know
Every wallet with a material exploit, breach or controversy in the last 24 months is disclosed below. Two belong to ranked wallets (Ledger, Cypherock); the score reflects each.
Our top picks, reviewed in full
The broadest ecosystem of any hardware wallet, and the best mobile experience via Bluetooth. 5,500 direct integrations plus another 15,000+ through MetaMask, Rabby and Phantom. The hardware itself has never been compromised in 11 years on the market — the Connect-Kit failure was a library-layer supply-chain attack, not a device break.
- ✓Best-in-class mobile via BLE
- ✓5,500+ direct, 15,000+ via apps
- ✓8-minute setup
- ✓Hardware never compromised
- ✕Connect-Kit supply-chain failure
- ✕Recover still divides the community
- ✕Closed firmware (a no for purists)
The first Trezor with a true secure element, and the most polished companion app on this list. The color touchscreen is responsive, the haptics are genuinely useful, and SLIP-39 Shamir Backup is supported natively. If Bluetooth is a hard no, this is the FOSS answer to the Nano X.
- ✓True EAL6+ secure element
- ✓Fully open, reproducible builds
- ✓Native SLIP-39 Shamir
- ✕No Bluetooth, no air-gap mode
- ✕iPhone support read-only
- ✕Support-portal phishing history
True air-gap with no radios of any kind, and the best build quality on this list. The included GRAPHENE stainless-steel seed backup is the cleanest physical-storage solution money can buy, and the EAL7 certification is the highest tier any consumer device has achieved. The catch is closed firmware at $400.
- ✓Only EAL7 consumer device
- ✓True air-gap, zero radios
- ✓GRAPHENE steel seed backup
- ✕Closed firmware at $400
- ✕BTC tooling lags Passport
- ✕~1,500 coins, not 5,500+
Your first hardware wallet, in 5 steps
Never set one up before? This is the safest cold-start. Works the same on Ledger, Trezor, BitBox, Foundation, Keystone, Jade and Tangem.
Order direct from the vendor
ledger.com, trezor.io, bitbox.swiss, foundationdevices.com — never a marketplace. Verify the tamper seal; if anything looks disturbed, refuse the package.
Run Genuine Check at first boot
Every wallet here has a vendor-side check that verifies the device is genuine and the firmware unmodified. Skip it and you risk a counterfeit.
Generate the seed on the device
Write all 12 or 24 words on the recovery card. Never type it on a phone or computer, never photograph it, never store it in a password manager.
Send a small test transaction first
Deposit $20–50, then withdraw it back to an address you control. Confirm both on the device screen. If setup is wrong, you find out at $50, not $50,000.
Store the seed in two separate places
Paper in a fire-resistant safe plus a stainless-steel backup at a second location. Most losses aren’t theft. They come from losing the device and seed in the same disaster.
Four wallets for specific niches
Curved 3.7″ E-Ink touchscreen designed by Tony Fadell, ST33K1M5 EAL6+, Qi wireless charging, USB-C + BLE + NFC. Same security tier as a Nano X in a premium chassis, aimed at aesthetic-driven multi-chain users.
The cheapest secure-element Trezor — 0.96″ OLED, two buttons, 14g, EAL6+, fully open source, BTC-only firmware variant. Best entry-point for first-time buyers on a tight budget.
Raspberry Pi Zero v1.3 + camera + LCD, fully air-gapped, stateless (no persistent key storage), BTC-only via PSBT. Cannot be “drained” because nothing is stored. For sovereignty enthusiasts and multi-sig co-signers.
Zirconia-ceramic wearable with embedded NFC, no screen, no battery, no firmware lifecycle. Same 81 chains as Tangem 2.0, EAL6+, 25-year lifespan. The first production wearable cold wallet, though ring size is fixed at purchase.
Five wallets to avoid buying in 2026
These still function if you already own one, but they shouldn’t appear on a 2026 shopping list.
✕ Ledger Nano S
2016 model, end-of-life June 2025. No further firmware updates or new app integrations. Rotate to Nano S Plus or Nano X.
✕ Trezor Model One
2014 hardware, removed from the e-shop Jan 8 2026. Maintenance patches continue, but no new units — buy a Safe 3 or Safe 5.
✕ Trezor Model T
Removed from the e-shop Jan 8 2026 in favor of the Safe 5. Same support timeline as Model One.
✕ KeepKey
Stagnant under post-ShapeShift-DAO stewardship. Last meaningful hardware refresh was 2017; ecosystem support has thinned.
✕ Original Jade (non-Plus)
Superseded by Jade Plus with a 66% larger screen and integrated camera. No reason to buy the original over the Plus.
Skip the rankings — find your row
Hardware wallets — common questions
Which hardware wallet is best for Bitcoin in 2026?
What was the Ledger Connect-Kit hack — is Ledger safe?
Is air-gapped really safer than USB or Bluetooth?
What is EAL6+ and EAL7, and does it matter?
Are hardware wallets actually open source?
We test the wallets so you don’t trust the wrong chip with your keys.
One email a week — new reviews, incident disclosures, and the occasional blunt warning. No hype, no paid placements.
