Ledger Donjon red team

An internal product-security team known as the Donjon works behind strict controls to probe and harden hardware wallet ecosystems, and it does so with the calm focus of a methodical observer. The team practices offensive security by simulating real attacker behavior, and the intent is to find flaws before criminals do. They combine expertise in hardware analysis and software review to test chips, firmware and companion software. Tests range from low-cost fault injections to electromagnetic and laser techniques, and they also explore remote attack chains that target smartphones to extract recovery material. When an exploit succeeds the team documents the vulnerability, assesses exploitability, and drives fixes to remove the risk. Hardware wallets rely on dedicated secure elements and specialized operating systems to isolate private keys, and these layers reduce attack surface when properly implemented. Even so, no device is invulnerable if an adversary obtains prolonged physical access or if a user discloses irreversible secrets. Phishing and social-engineering remain the most prolific routes to theft because they target human trust rather than chips. The Donjon’s work therefore covers the entire lifecycle: design review, fault-injection experiments, firmware audits, and post-release monitoring. This holistic approach shortens the window in which vulnerabilities can be weaponized. Engineers on the team cultivate patience and persistence because many successful attacks require months of study and iterative testing. When a robust attack is demonstrated it serves both as proof and as a lesson for mitigation. Demonstrations are chosen to be controlled and repeatable so that countermeasures can be validated. For users the practical takeaways are straightforward: protect recovery phrases, verify transactions on-device, keep firmware current, and store hardware in secure locations. For product teams the implication is equally clear: threat models must account for both remote and physical vectors, and security design should assume that adversaries will attempt sophisticated fault techniques. By operating as an internal red team that mirrors real-world attackers, the Donjon style of security testing seeks to shift the balance toward defenders and to reduce the chances that a vulnerability will be discovered first by those who would profit from it.