Chinese chip used in bitcoin wallets is putting traders at risk
A popular microcontroller installed in billions of Internet of Things (IoT) devices has a severe bug that is exposing bitcoin (BTC) to theft.
The bug — called Critical Vulnerability Error of 2025 number 27840 (CVE-2025-27840) — affects the popular ESP32 chip and allows hackers to exploit module updates to sign unauthorized transactions or even remotely steal private keys.
ESP32, which is found inside hardware wallets like Blockstream Jade that generate signatures for BTC transactions, also has insufficient entropy in its random number generator, allowing brute force guessing of keypairs in debug mode by anonymous attackers.
CryptoDeepTech, a cybersecurity research firm, has already proven its ability to forge transaction signatures in ESP32’s debug channel using the chip’s flawed message hashing.
Indeed, its white hat hackers performed a demonstration of decrypting the private key of a wallet containing 10 BTC.
Read more: Explained: Benefits and drawbacks of a crypto wallet passphrase
Compromised microchip ESP32 puts bitcoin wallets at risk
Bitcoin self-custodians and companies around the world are taking the bug seriously. Not only does the chip have an extensive list of vulnerabilities, but billions of devices around the world already contain it.
Sadly, ESP32’s weaknesses are already physically installed in so many networks that secure value, including BTC, private data, and other computer-secured property. As such, the bug is gaining alarming prominence among cybersecurity practitioners.
In the meantime, white hat researchers are continuing responsible disclosure and have already flagged the bug as a possible vector for state-level theft.
Blockstream has contested reports about any vulnerability of its Jade customers to the ESP32 chip. It claims that the its wallets have no host chip, don’t rely on compromised chips for seed entropy, and don’t use compromised chips to sign bitcoin transactions.
Although its Jade website lists ESP32 as a component, it claims that the role of the ESP32 chip is limited relative to other components and even software code involved in seed phrase generation and transaction signing.
Blockstream employees claim that no Jade users are at risk of theft of funds due to CVE-2025-27840.
Edit 15:48 UTC, Apr 16: Added context provided on social media from Blockstream employees, in final section above.
Edit 16:10 UTC, Apr 17: Replaced citation in fourth paragraph, clarified certain vulnerabilities involving debug mode.
Got a tip? Send us an email securely via Protos Leaks. For more informed news, follow us on X, Bluesky, and Google News, or subscribe to our YouTube channel.