Tangem Wallet Vulnerabilities
September 22, 2025•448 words
Disclosure: author is a reseller for Coinkite
If you're not familiar with Tangem wallet, it's an NFC card that acts as cold storage for different cryptocurrencies by using Near Field Communication to sign transactions and move funds by coordinating with a smart phone. This allows for the master private key to stay on the card, acting as an affordable ($54 for 2 cards as of this writing) cold storage option.
Tangem's main page describes that the key can't be extracted and the card pin can't be brute forced.
Both of these claims have proven to be untrue. Some users were having their seed phrases leaked by being recorded in their phone's logs. These are shared with customer service only by request. They report that this impacted <0.1% of customers but the fact that this is even possible seems like a significant oversight.
Ledger is a competitor that also makes hardware wallets and has a research team (Donjon) that tries to break other devices, disclosing info responsibly so vulnerabilities are less likely to be seen in the wild. The Donjon team demonstrated how the Tangem card pin can be brute forced pretty easily, if only 4 digits.
Address Reuse
Address reuse is the process of receiving to and sending from the same address more than once. It poses a problem for both privacy and (eventually) security. It's a problem for privacy now because anyone who sends you bitcoin can see your other transactions to and from that address on the blockchain. Here's an example of a reused address. It poses a theoretical security risk because for certain address types it reveals info about your address that is only shown when spent and makes is more vulnerable to quantum computers. This is not an issue currently but may be in the future if quantum computers become more stable.
More on that in the Bitcoin wiki
According to Tangem's Seedphrase FAQ, they don't support multiple addresses because they haven't figured out how to do it in a "secure and convenient" manner. While not technically a vulnerability, it's concerning nonetheless that the Tangem team has prioritized other cryptocurrencies rather than basic Bitcoin functionality.
Final Thoughts
If you want an affordable cold storage solution, you could build a SeedSigner (an airgapped Linux computer). Another frugal option is the Coinkite Tapsigner. It's also an NFC card but the keys can only be extracted encrypted, it can produce as many addresses as you need, can be a signer in multisig wallet, and you're not forced to buy 2 or 3 of them. If you buy from my store I'll personally deliver it to you at a SD Bitcoiners Cete.