A Security Comparison of Coldcard, Jade, Trezor, and Ledger - Taken Apart Firsthand
A comparison of four hardware wallets from the perspective of attack surface, security model, and software transparency. Evaluated against actual disclosed vulnerabilities and design decisions rather than marketing copy.
The usual criteria for choosing a hardware wallet are price, screen size, and the number of supported coins. This article does not use those criteria. Instead, it looks at the following four:
- How many paths exist by which the secret (seed) can leave the device
- Who can verify the firmware
- How supply chain attacks are defended against
- What vulnerabilities have been discovered in the past, and how were they addressed
Using these criteria, this article covers four widely used products as of 2026: Coldcard Mk4, Blockstream Jade, Trezor Model T / Safe 3, and Ledger Nano X / Stax.
Two Branches of the Security Model
The design philosophy of hardware wallets splits into two main branches.
Open Source approach: Security is staked on "software transparency." The entire firmware is publicly available, and through reproducible builds, anyone can verify that a binary matches its source code. Hardware uses general-purpose microcontrollers, or if a Secure Element is used, all code accessing that SE is made public.
Secure Element approach: Security is staked on "hardware isolation." The seed is stored on a certified security chip from manufacturers such as NXP or ST. The internal workings of these chips are bound by NDA and are not disclosed. In return, they offer design-level resistance to physical attacks such as power analysis and glitch attacks.
These two approaches assume different threats. The former prioritizes "what if the vendor plants a backdoor in the code," while the latter prioritizes "what if an attacker physically seizes my device." Which is correct depends on the user's threat model.
Design Comparison of the Four Products
| Item | Coldcard Mk4 | Blockstream Jade | Trezor Safe 3 | Ledger Nano X |
|---|---|---|---|---|
| Secure Element | Yes (Microchip ATECC608A, dual) | No (general-purpose MCU) | Yes (OPTIGA Trust M) | Yes (ST33, NDA) |
| Open source firmware | Yes (full) | Yes (full) | Yes (full) | Partial (MCU firmware open, SE app closed) |
| Reproducible build | Yes | Yes | Yes | Partial |
| Air-gapped (fully offline) operation | Possible (SD card, PSBT) | Possible (QR code mode) | Not possible (USB required) | Not possible (USB/Bluetooth required) |
| Anti-Exfiltration signing | Supported | Supported | Partially supported | Not supported |
| Default connection method | USB (air-gap possible) | USB, QR, Bluetooth (selectable) | USB | USB, Bluetooth |
| Seed recovery method | BIP39, SeedXOR, Trick PIN | BIP39, SLIP-39 | BIP39, SLIP-39 (Shamir) | BIP39 |
Pros and Cons by Device
Coldcard Mk4
This device pursues self-sovereignty and air-gapped operation in the most extreme way. It can be operated without plugging in USB at all, exchanging PSBTs (partially signed transactions) via SD card. It has a "Duress PIN" feature that allows showing a different wallet under coercion.
The downside is the barrier to entry. The UX is not beginner-friendly, and it is difficult for anyone who does not understand the concept of PSBTs. Additionally, Microchip's ATECC608A SE has a history of being vulnerable to power analysis attacks in the past. Coldcard mitigates this with its dual SE design, but there is also criticism that the inherent opacity of the SE itself is a fundamental risk.
Blockstream Jade
The fact that it does not use a SE is controversial. Blockstream takes the view that "security claims for SEs are unverifiable promises," and instead chose to encrypt the seed using a two-factor blind oracle and store it on a general-purpose MCU.
The advantage is that the hardware is fully verifiable. The schematics and BOM are published, so in theory a user could manufacture their own device. QR code air-gap mode is also supported.
The downside is that defense against physical attack scenarios may be weaker. The possibility of extracting the seed from a lost or stolen device is higher than with SE-based devices. The risk increases if the user does not use a strong PIN.
Trezor Safe 3
Trezor maintained a design without a SE for many years before introducing the OPTIGA Trust M SE in the Safe series. Choosing the Safe 3 or Safe 5 over the Model T (the older model) is the right call as of 2026.
It has a strong open source tradition and supports Shamir Backup (SLIP-39) natively. Firmware update cycles are fast, and discovered vulnerabilities are handled publicly.
The downside is that USB connection is mandatory. It is not an option for users who want fully air-gapped operation. Additionally, there was research by Kraken Security Labs that extracted the seed from the older Model T using power analysis, which remains a valid threat for attackers with physical access.
Ledger Nano X / Stax
The strength of the Secure Element (ST33) is the highest among the four products - the same grade as smart cards used in financial institutions. However, the firmware architecture is closed, limiting external audits of exactly how the "BOLOS" operating system and the Bitcoin app function.
The Ledger Recover service disclosed in May 2023 greatly amplified trust concerns. This service splits the user's seed into three fragments and entrusts them to external institutions for safekeeping. Ledger explained it as an "opt-in feature," but the fact that the firmware supports such a capability itself shook the previous claim that "Ledger cannot extract my seed."
The advantages are usability and the number of supported coins. Mobile integration and Bluetooth are strengths of the Nano X and Stax, but Bluetooth is also an attack surface.
Practical Selection Guide
Self-sovereignty and verifiability as the top priority: Jade or Coldcard. Jade is fully open, Coldcard is air-gapped. A multisig combining both is also possible.
Balance of standard security and convenience: Trezor Safe 3. The UX is the most polished and Shamir Backup is useful.
Daily payments and many coins: Ledger Nano X. If you agree with the security philosophy, usability is at the highest level.
Large funds over $1 million: Multisig is mandatory. Mix different vendors (e.g., Coldcard + Jade + Trezor) to configure a 2-of-3 or 3-of-5. This blocks the scenario where a single vendor's firmware vulnerability wipes out everything.
Supply Chain Security: The First Thing to Do After the Device Arrives
Regardless of which brand you choose, supply chain attacks are a common risk. There have been several real cases where someone opened a device in transit and planted a backdoor seed (notably the 2018 Ledger counterfeit device incident).
Checklist:
- Purchase only from the manufacturer's official site (absolutely no second-hand; be cautious of third-party Amazon sellers).
- Photograph the tamper seal and box condition as a record.
- On first boot, confirm the device is in "new" condition (if a seed is already configured, return it immediately).
- Update firmware to the manufacturer's latest version before generating the seed.
- Engrave the seed on a metal backup (Stonebook, CryptoSteel, etc.) rather than paper.
Summary
No hardware wallet is perfect. Each product assumes a different threat model and accepts different tradeoffs. What matters is defining your own threat model first. Who do you want to defend against? Government forced seizure? A malware-infected laptop? Theft? Malicious interference in the supply chain? The answer changes the choice.
And whatever choice you make, not entrusting all funds to a single device is the single greatest security improvement you can make.
Connected Concepts
- Cold Storage vs Hot Wallet - the full spectrum of Bitcoin storage security
- Self-Custody Guide - the case for holding your own keys
- Bitcoin Security Best Practices - complete security framework