Opinion by: Igor Zemtsov, chief technology officer at TBCC

Crypto security is a ticking time bomb. Updatable firmware might just be the match that lights the fuse.

Hardware wallets have become the holy grail of self-custody, the ultimate safeguard against hackers, scammers and even government overreach. There’s an inconvenient truth, however, that most people ignore: Firmware updates aren’t just security patches. 

They’re potential backdoors, waiting for someone — whether a hacker, a rogue developer or a shady third party — to kick them wide open.

Every time a hardware wallet manufacturer pushes an update, users are forced to make a choice. Hit that update button and hope for the best, or refuse to update and risk using outdated software with unknown vulnerabilities. Either way, it’s a gamble. 

In crypto, a bad gamble can mean waking up to an empty wallet.

Firmware updates aren’t always your friend

Updating firmware sounds like common sense. More security! Fewer bugs! Better user experience!

Here’s the thing: Every update is also an opportunity not just for the wallet provider but for anyone with the power, or motivation, to tamper with the process.

Hackers dream of firmware vulnerabilities. A rushed or poorly audited update can introduce tiny, almost imperceptible flaws — ones that sit in the background, waiting for the right moment to drain funds. And the best part? Users will never know what hit them.

Then there’s the more unsettling possibility: deliberate backdoors.

Recent: Hardware wallet Ledger helps competitor Trezor resolve security vulnerability

Tech companies have been forced to include government-mandated surveillance tools before. What makes anyone think hardware wallet makers are exempt? If a regulatory agency — or worse, a criminal organization — wants access to private keys, firmware updates are the perfect attack vector. One hidden function. One disguised line of code. 

That’s all it takes. Still think firmware updates are harmless? 

Firmware vulnerabilities are already being exploited

This isn’t some far-fetched, doomsday scenario. It has already happened.

Ledger, one of the biggest names in crypto security, had a major security crisis in 2018 when security researcher Saleem Rashid exposed a vulnerability that allowed attackers to replace Ledger Nano S firmware and hijack private keys. Nearly 1 million devices were at risk before a fix was rolled out. The scary part? There was no way for users to know if their devices had already been compromised.

In 2023, OneKey suffered a similar nightmare. White hat hackers demonstrated that its firmware could be cracked in mere seconds. No crypto was lost — this time. But what if real attackers had found the flaw first?

Then came the “Dark Skippy” exploit, taking firmware-based attacks to an entirely new level. With just two signed transactions, hackers could extract a user’s entire seed phrase — without setting off a single alarm. If firmware updates can be manipulated this easily, how can anyone be sure their assets are safe?

The hidden price of updatable firmware

To be fair, not all firmware updates are security disasters. Ledger uses a proprietary operating system and secure element chips for added protection now. Trezor takes an open-source approach, allowing the community to scrutinize its firmware. Coldcard and BitBox02 give users manual control over updates, reducing — but not eliminating — risk.

Here’s the real question: Can users ever be 100% sure that an update won’t introduce a fatal flaw?

Some wallets have decided to eliminate the risk altogether. Tangem ships with fixed, non-updatable firmware, meaning that its code can never be altered once the device leaves the factory. No updates. No patches. 

Of course, this approach has its trade-offs. If a vulnerability is discovered, there’s no way to fix it. But in security, predictability matters. 

Real crypto security means taking back control

The crypto market was worth $2.79 trillion as of March 2025. With that much money on the table, cybercriminals, rogue insiders and overreaching governments are always looking for weak points. Hardware wallet makers should be laser-focused on security.

Choosing a hardware wallet shouldn’t feel like gambling with private keys. It shouldn’t involve blind trust in a corporation’s ability to push updates responsibly. Users deserve more than vague reassurances. They deserve security models that put control where it belongs — with them.

Security isn’t about convenience. It’s about control. Any system that requires trusting unknown developers, opaque update processes or firmware that can be changed at will? That’s not control. That’s a liability.

The only real way to keep a hardware wallet safe? Remove the guesswork. Strip away the blind trust. Always research the developers’ backgrounds, check their track record for security incidents, and see how they’ve handled past vulnerabilities. Stick to verifiable facts — security should never be based on assumptions.

Opinion by: Igor Zemtsov, chief technology officer at TBCC.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Shaquille O’Neal has settled with investors who claim losses from the collapse of cryptocurrency exchange FTX, according to an April 23 filing in the US District Court for the Southern District of Florida.

The settlement amount remains confidential, with terms expected to be disclosed after investors formally request preliminary court approval, according to court documents.

O’Neal and other celebrities and athletes were accused of promoting FTX and allegedly contributing to investor losses by endorsing the now-bankrupt exchange.

The case is part of a broader multidistrict litigation effort, where investors are seeking up to $21 billion in damages from FTX insiders, advisers and promoters, far exceeding the $9.2 billion available through bankruptcy proceedings.

Other celebrities embroiled in similar legal troubles for their roles in FTX include NFL quarterback Tom Brady, supermodel Gisele Bündchen, billionaire investor Kevin O’Leary, former NBA player Udonis Haslem, David Ortiz, Naomi Osaka and others. 

Notably, FTX investors faced challenges in serving O’Neal with legal papers during the early stages of the lawsuit over his promotion of the collapsed exchange.

Lawyers representing the victims described O’Neal as “running from the lawsuit,” after multiple failed attempts to deliver court documents. Legal teams reportedly spent months trying to reach the NBA legend, resorting to creative methods, including attempting service during NBA games and at his residences.

Related: FTX former execs and promoters to settle class-action lawsuit for $1.3M

O’Neal finalizes $11 million settlement over Astrals NFT project

The settlement with FTX investors comes as O’Neal recently agreed to pay $11 million to resolve a class-action lawsuit tied to his involvement in the Solana-based Astrals NFT project.

In May 2023, O’Neal was served with the Astral NFT lawsuit during an NBA game at Miami’s Kaseya Center, formerly the FTX Arena. The class-action lawsuit involved his promotion of the Astrals NFT project, alleging that the NFTs promoted by O’Neal were unregistered securities.

In August 2024, a Miami federal court judge ruled that O’Neal would need to defend some of the claims brought against him in the case. 

Astrals is a Solana-based project featuring 10,000 NFTs, a metaverse called Astralworld and a decentralized autonomous organization (DAO) with a governance token called Galaxy.

Magazine: Ethereum maxis should become ‘assholes’ to win TradFi tokenization race