Opinion by: Igor Zemtsov, chief technology officer at TBCC

Crypto security is a ticking time bomb. Updatable firmware might just be the match that lights the fuse.

Hardware wallets have become the holy grail of self-custody, the ultimate safeguard against hackers, scammers and even government overreach. There’s an inconvenient truth, however, that most people ignore: Firmware updates aren’t just security patches. 

They’re potential backdoors, waiting for someone — whether a hacker, a rogue developer or a shady third party — to kick them wide open.

Every time a hardware wallet manufacturer pushes an update, users are forced to make a choice. Hit that update button and hope for the best, or refuse to update and risk using outdated software with unknown vulnerabilities. Either way, it’s a gamble. 

In crypto, a bad gamble can mean waking up to an empty wallet.

Firmware updates aren’t always your friend

Updating firmware sounds like common sense. More security! Fewer bugs! Better user experience!

Here’s the thing: Every update is also an opportunity not just for the wallet provider but for anyone with the power, or motivation, to tamper with the process.

Hackers dream of firmware vulnerabilities. A rushed or poorly audited update can introduce tiny, almost imperceptible flaws — ones that sit in the background, waiting for the right moment to drain funds. And the best part? Users will never know what hit them.

Then there’s the more unsettling possibility: deliberate backdoors.

Recent: Hardware wallet Ledger helps competitor Trezor resolve security vulnerability

Tech companies have been forced to include government-mandated surveillance tools before. What makes anyone think hardware wallet makers are exempt? If a regulatory agency — or worse, a criminal organization — wants access to private keys, firmware updates are the perfect attack vector. One hidden function. One disguised line of code. 

That’s all it takes. Still think firmware updates are harmless? 

Firmware vulnerabilities are already being exploited

This isn’t some far-fetched, doomsday scenario. It has already happened.

Ledger, one of the biggest names in crypto security, had a major security crisis in 2018 when security researcher Saleem Rashid exposed a vulnerability that allowed attackers to replace Ledger Nano S firmware and hijack private keys. Nearly 1 million devices were at risk before a fix was rolled out. The scary part? There was no way for users to know if their devices had already been compromised.

In 2023, OneKey suffered a similar nightmare. White hat hackers demonstrated that its firmware could be cracked in mere seconds. No crypto was lost — this time. But what if real attackers had found the flaw first?

Then came the “Dark Skippy” exploit, taking firmware-based attacks to an entirely new level. With just two signed transactions, hackers could extract a user’s entire seed phrase — without setting off a single alarm. If firmware updates can be manipulated this easily, how can anyone be sure their assets are safe?

The hidden price of updatable firmware

To be fair, not all firmware updates are security disasters. Ledger uses a proprietary operating system and secure element chips for added protection now. Trezor takes an open-source approach, allowing the community to scrutinize its firmware. Coldcard and BitBox02 give users manual control over updates, reducing — but not eliminating — risk.

Here’s the real question: Can users ever be 100% sure that an update won’t introduce a fatal flaw?

Some wallets have decided to eliminate the risk altogether. Tangem ships with fixed, non-updatable firmware, meaning that its code can never be altered once the device leaves the factory. No updates. No patches. 

Of course, this approach has its trade-offs. If a vulnerability is discovered, there’s no way to fix it. But in security, predictability matters. 

Real crypto security means taking back control

The crypto market was worth $2.79 trillion as of March 2025. With that much money on the table, cybercriminals, rogue insiders and overreaching governments are always looking for weak points. Hardware wallet makers should be laser-focused on security.

Choosing a hardware wallet shouldn’t feel like gambling with private keys. It shouldn’t involve blind trust in a corporation’s ability to push updates responsibly. Users deserve more than vague reassurances. They deserve security models that put control where it belongs — with them.

Security isn’t about convenience. It’s about control. Any system that requires trusting unknown developers, opaque update processes or firmware that can be changed at will? That’s not control. That’s a liability.

The only real way to keep a hardware wallet safe? Remove the guesswork. Strip away the blind trust. Always research the developers’ backgrounds, check their track record for security incidents, and see how they’ve handled past vulnerabilities. Stick to verifiable facts — security should never be based on assumptions.

Opinion by: Igor Zemtsov, chief technology officer at TBCC.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

South Korean exchanges Upbit and Bithumb have suspended deposits for Synthetix (SNX) tokens after it was flagged by the Digital Asset Exchange Alliance (DAXA) for potential risks.

DAXA, the self-regulatory organization establishing industry standards for South Korean exchanges, designated SNX as a cautionary item. 

Assets receiving this designation typically undergo rigorous evaluations to determine whether trading can continue or if delisting is necessary.

Exchanges may take action, such as adding a warning tag to the asset and urging investors to take caution when engaging with it. Trading platforms can also perform additional measures, like blocking deposits or suspending trading support temporarily. 

Upbit and Bithumb block SNX deposits

In response to the designation, the biggest exchanges in South Korea said they are blocking deposits for SNX tokens on their platforms. 

Upbit announced that it had added a trading caution ticker and suspended token deposits. The exchange said it had been monitoring the developments related to the Synthetix USD (sUSD) depegging. It added that this event may damage investors through potential volatility, as SNX is used as collateral for sUSD. 

The exchange added that it had determined a lack of use cases for the asset, which may cause investors to suffer losses. Upbit said it would conduct a comprehensive review to decide whether to delist the asset or resume normal operations for the token. 

Bithumb has also blocked deposits for SNX and added a cautionary tag for the token. However, the exchange said this decision could be overturned depending on internal circumstances. If the reason for the designation is resolved, Bithumb said it would lift the restrictions. 

Korbit and Coinone also published investor alerts to caution traders. The two exchanges added cautionary tags to SNX tokens to alert investors who may want to trade the token. 

Cointelegraph reached out to Synthetix for comment but did not get a response by publication. 

Related: South Korean crypto emerges from failed coup into crackdown season

sUSD struggles to recover dollar peg

On April 10, the sUSD stablecoin dropped to a five-year low of $0.83 after struggling to maintain its dollar peg in the first quarter of 2025. With the stablecoin being collateralized by the project’s native asset, Cork Protocol co-founder Rob Schmitt compared the token to Terra USD (UST), which collapsed in 2022. However, Schmitt said that sUSD has a “more manageable” debt system. 

On April 18, the stablecoin dipped further to $0.68, with SNX falling by 26% in a 30-day period. A Synthetix spokesperson told Cointelegraph that their team has short, medium and long-term plans to mitigate the risks. 

On April 21, Synthetix founder Kain Warwick threatened SNX stakers with “the stick” if they didn’t take up a newly launched staking mechanism to fix the sUSD depeg. The executive said they may put extra pressure on stakers if they don’t see enough momentum on the newly implemented mechanism. 

Since the warning, sUSD prices increased by 27%. On April 24, the stablecoin briefly reached $0.87. However, the token has still failed to recover its dollar peg. 

Magazine: Uni students crypto ‘grooming’ scandal, 67K scammed by fake women: Asia Express