New ESP32 Chip Flaw Lets Hackers Steal Bitcoin Keys from Popular Wallets

Key Takeaways:

• ESP32 chips expose crypto wallets and IoT devices to silent attacks.
• Weak security lets thieves steal private keys and fake transactions.
• Experts warn against using insecure chips in blockchain hardware.

A dangerous security flaw has been discovered in the Chinese-manufactured ESP32 chip, a microcontroller embedded in billions of IoT devices, including several popular crypto wallets.

Cybersecurity firm Crypto Deep Tech found the vulnerability, which was officially cataloged as CVE-2025-27840 in March. This bug allows attackers to forge cryptographic signatures and steal private keys without users’ knowledge.

Researchers revealed that the flaw stems from multiple weaknesses in the ESP32 architecture, including a weak pseudo-random number generator (PRNG) that makes cryptographic keys dangerously predictable and a failure to reject invalid private keys (≤ 0).

BREAKING: CRITICAL VULNERABILITY (CVE-2025-27840) IN ESP32 CHIP — A WIDELY USED MICROCONTROLLER — EXPOSES HARDWARE WALLETS TO PRIVATE KEY THEFT pic.twitter.com/vjbtmIJjov

​​

Cryptographic flaws in ESP32 chip/ Source: Crypto Deep Tech

These design lapses make the chip vulnerable in crypto use cases.

“The ESP32 acts as a gateway to sensitive networks and cryptographic credentials,” the report warns.

Wallets like Blockstream Jade face high risks. Attackers can also exploit the chip’s Bluetooth and Wi-Fi capabilities to spoof MAC addresses, manipulate memory, and inject malicious code to steal Bitcoin keys.

In one simulated attack, researchers extracted the private key to a wallet containing 10 BTC without alerting the owners.

One of the exploit’s most alarming aspects is the electrum_sig_hash function, which is used in Electrum-based wallets.

The function’s flawed logic allows attackers to exploit non-standard message formatting and generate forged ECDSA signatures that validate legitimate Bitcoin transactions.

Due to the ESP32’s support for message prefixing, Bitcoin addresses can be encoded before applying double SHA256 hashing, bypassing typical safeguards and allowing forgery.

ESP32 chips are embedded in millions of smart home devices, routers, and automation systems. Experts warn that the bug could lead to massive state-level cyberattacks and supply chain compromises.

“This is not just about Bitcoin. It’s about the security of the internet-connected world,” the researchers stated.

Although commercial wallets like Ledger and Trezor incorporate enhanced security, they are not invincible.

A March 13 security audit by Ledger found that Trezor’s Safe 3 and Safe 5 models are vulnerable to supply chain attacks due to their reliance on microcontrollers for key verification and cryptographic operations.

Despite including secure elements, operations such as transaction signing are still carried out on potentially vulnerable microcontrollers.

At @Ledger, you might know that we have the @DonjonLedger, our dedicated team constantly conducting open security research.

We recently worked with Trezor, revealing that their Trezor Safe 3 was susceptible to physical supply chain attacks. Here's a thread on our findings: pic.twitter.com/CORDOQWRYg

Ledger CTO Charles Guillemet emphasized that although these wallets include EAL6+ certified Secure Elements, attackers could still target the microcontroller layer in supply chain attacks.

The ESP32 flaw is not an isolated case.

In March 2024, researchers uncovered a serious side-channel vulnerability in Apple’s M-series chips that allowed attackers to extract encryption keys via microarchitectural design flaws, rendering them unpatchable by software updates.

Even browser-based wallets aren’t safe.

On April 14, a developer filed a lawsuit against Phantom Technologies, claiming the popular Solana-based wallet left private keys exposed in unencrypted browser memory.

The breach resulted in over $500,000 in crypto stolen from three wallets.

The post New ESP32 Chip Flaw Lets Hackers Steal Bitcoin Keys from Popular Wallets appeared first on Cryptonews.