The most-shipped hardware wallet in crypto. The default. The one people actually use. There are reasons for that, and there are reasons it’s no longer everyone’s first recommendation.
What it is
A small device with a Bluetooth + USB-C interface, a screen, and a CC EAL5+ certified secure element that holds your private key. You sign transactions on the device — the key never leaves it.
Why it’s the default
- Ecosystem breadth. Ledger Live supports 6,000+ tokens across 50+ chains.
- Mobile experience. The Bluetooth pairing actually works.
- Track record. 12 years of ship-and-iterate.
- Distribution. Available everywhere — though always buy direct from ledger.com.
- Documentation. The Ledger Academy resources are reasonably good.
For a typical retail buyer with a mixed portfolio of tokens across multiple chains, Ledger is the path of least resistance.
The closed-source debate
Ledger’s secure element runs firmware that is closed-source. The argument for: secure-element manufacturers (STMicroelectronics, NXP) require NDA-protected firmware to maintain certification. The argument against: closed-source means users can’t independently verify what the firmware does — they’re trusting Ledger’s claims.
Reasonable security researchers disagree on whether this is a genuine vulnerability or a theoretical one. We treat it as: acceptable for typical retail use, suboptimal for paranoid use, never the right answer for anyone who can’t tolerate any closed-source dependency.
The 2023 “Ledger Recover” controversy
In 2023, Ledger announced an opt-in “Recover” service: encrypt and split your seed across three custodians (Ledger, Coincover, EscrowTech), so you can recover after losing the device. To make this technically possible, Ledger had to confirm that the firmware can extract the seed under specific circumstances.
This contradicted years of Ledger marketing that the seed never leaves the device. Reaction was swift and angry. Many security-conscious users moved to Trezor or Keystone.
Where this lands today:
- The Recover feature is opt-in. If you don’t enable it, the seed doesn’t leave your device.
- But the capability exists in firmware. A future firmware update or a coercive subpoena could in principle change the default.
- Ledger has since shipped firmware that requires explicit user-confirmation for any seed export, but the architectural choice is now public.
If your threat model includes nation-state coercion of Ledger SAS, this matters. For most retail, it doesn’t change the practical security position.
The 2020 data breach
Separate from any hardware question: in 2020, an attacker obtained 1 million Ledger customer emails from a marketing database. Some of these customers received targeted phishing and physical-threat messages. This is bad opsec by a hardware-wallet company, full stop.
If you buy a Ledger:
- Use a dedicated email address that’s not linked to your real identity.
- Don’t store the device near identifying documents.
- Never tell anyone you own one.
This applies to any hardware wallet but is more acute with Ledger because of the breach.
Setup quality
Ledger Live is a reasonable app for setup, transaction signing, and basic portfolio viewing. The setup flow is clear, prompts are sensible, and the seed-display sequence is well-designed.
A few specific best practices for Ledger:
- Skip Ledger Recover. If you want recovery insurance, use a managed multisig service (Casa, Unchained) — same outcome with no firmware-level seed-export capability.
- Use a passphrase. The device supports passphrases natively.
- Update firmware promptly when prompted, after verifying the update notice on Ledger’s site (not via the email you received).
What it doesn’t do
- Quantum resistance. ECDSA throughout.
- Air-gapped operation. Some users want a wallet that never touches USB or Bluetooth; Keystone is the better choice there.
- Open-source secure element. Trezor is the choice for that preference.
How to buy without getting tampered
- Order direct from ledger.com.
- Verify tamper-evident packaging.
- Set up via Ledger Live (which verifies firmware authenticity).
- Never use a Ledger that came pre-set-up by a seller — that’s a tampered device.
The supply-chain attack on Ledger is real and ongoing — third-party sellers (Amazon, eBay) have shipped tampered devices that immediately drain funds when set up.
Verdict
Ledger Nano X remains a defensible default for most retail. The closed-source firmware and 2023 Recover controversy are real concerns but not disqualifying for typical use. The 2020 customer-data breach is a permanent issue that requires opsec discipline on the buyer’s end.
Score: 7.6/10.
For users who would be more comfortable with open-source firmware → consider Trezor. For users worried about the firmware-can-extract-seed controversy → consider Keystone (air-gapped). For long-hold positions where quantum-resistance is a real concern → see our BMIC review.
For active retail use across a broad token portfolio, Ledger’s ecosystem breadth and mobile experience still make it the most practically usable option.