Ledger Donjon exposed a MediaTek vulnerability that extracts Android wallet seed phrases in under 45 seconds, affecting millions of devices. CVE-2025-20435.
Ledger Donjon has uncovered a serious MediaTek vulnerability. It allows attackers to pull wallet seed phrases from Android phones in seconds, and the phone doesn’t even need to be on. A remarkable achievement, really.
Charles Guillemet, who goes by @P3b7_ on X, broke the findings publicly. He confirmed that @DonjonLedger had once again discovered a flaw with serious reach. According to Guillemet on X, user data, including PINs and seed phrases, can be extracted in under a minute, even from a powered-off device.
The scale here is significant. Millions of Android phones run MediaTek processors, which is like saying a lot of people use a particular brand of socks, but in this case, it’s a brand of processor that’s now under scrutiny.
Your Phone Off Means Nothing Now, Unless It’s a Very Important Phone That’s Being Watched by a Very Serious Person
As Guillemet tweeted on X, the Ledger Donjon team plugged a Nothing CMF Phone 1 into a laptop. Within 45 seconds, the phone’s foundational security was gone. No complicated setup. No special hardware. Just a laptop connection and a timer. A feat that would make even the most seasoned hacker feel a bit out of their depth.
Worth a read: Crypto security threats are rapidly escalating heading into 2026
The exploit never even touched Android. As Guillemet posted on X, the attack automatically recovered the PIN, decrypted device storage, and pulled seed phrases from the most popular software wallets. All before the operating system loaded. A bit like sneaking into a party before the host has even finished setting up the decorations.
That is not a small gap. That is a structural failure. A bit like building a house on a foundation of jelly and expecting it to last longer than a poorly timed joke.
The Chip Architecture Problem That Nobody Wanted to Admit, But Now It’s Too Late to Pretend It Doesn’t Exist
General-purpose chips trade security for speed and ease. Guillemet made that point directly in his X thread. A dedicated Secure Element keeps secrets isolated from everything else on the device. MediaTek chips were not built that way. Trustonic’s TEE sits inside the same chip handling everyday tasks. Physical access collapses that boundary. It’s like trying to keep a secret in a house where the walls are made of glass and the neighbors are all very curious.
You might also like: How 2025 became crypto’s most damaging year for security
This is not the first time researchers have questioned smartphone security for crypto users. It keeps coming back to the same architecture gap. Convenience chip versus security chip. They are not the same thing. It’s like asking a toaster to perform heart surgery.
Responsible Disclosure, Then the Fix, Which Everyone Was Already Aware Of, But No One Did Anything About
Ledger Donjon did not release this publicly without warning. As Guillemet confirmed on X, the team followed a strict responsible disclosure process with all relevant vendors. MediaTek confirmed it provided a fix to OEMs on January 5, 2026. The vulnerability is now publicly listed as CVE-2025-20435. A process so thorough, it’s almost as if they were preparing for a royal visit.
Must read: Ledger eyes New York listing as crypto wallet hacks surge
OEMs received the fix. Whether those patches reached end users is another question entirely. Android fragmentation is a real problem. Older devices from smaller manufacturers often sit unpatched for months. It’s like giving a band-aid to a broken leg and hoping the patient will remember to apply it.
Why Software Wallets Took the Hit, and Why You Should Probably Be Worried
Seed phrases stored on a software wallet live inside the device. They depend entirely on the security of the chip underneath. When that chip fails, everything above it fails too. It’s like trusting a child with your bank account details and then being surprised when they spend it on candy.
Guillemet’s thread on X closed with clarity on motive. The research was not done to create fear. It was done so the industry could fix the vulnerability before attackers got there first. That window is now closed, at least for this specific flaw. A bit like closing the stable door after the horse has left, but with more technical jargon.
Related: Cross-platform wallet drainers are getting harder to detect
Software wallets on Android have always carried this risk. The MediaTek vulnerability just put a number on it. Forty-five seconds. That is all it took. A time period that is just long enough to check your phone for messages but not long enough to realize you’ve been hacked.
Read More
- Enshrouded: Giant Critter Scales Location
- All Carcadia Burn ECHO Log Locations in Borderlands 4
- Top 10 Must-Watch Isekai Anime on Crunchyroll Revealed!
- Best ARs in BF6
- All Shrine Climb Locations in Ghost of Yotei
- Deltarune Chapter 1 100% Walkthrough: Complete Guide to Secrets and Bosses
- Top 8 UFC 5 Perks Every Fighter Should Use
- Poppy Playtime 5: Battery Locations & Locker Code for Huggy Escape Room
- Scopper’s Observation Haki Outshines Shanks’ Future Sight!
- Keeping Agents in Check: A New Framework for Safe Multi-Agent Systems
2026-03-12 21:26