Chinese chip used in bitcoin wallets is putting traders at risk

A popular microcontroller installed in billions of Internet of Things (IoT) devices has a severe bug that is exposing bitcoin (BTC) to theft.

The bug — called Critical Vulnerability Error of 2025 number 27840 (CVE-2025-27840) — affects the popular ESP32 chip and allows hackers to exploit module updates to sign unauthorized transactions or even remotely steal private keys.

ESP32, which is found inside hardware wallets like Blockstream Jade that generate signatures for BTC transactions, also has insufficient entropy in its random number generator, allowing brute force guessing of keypairs by anonymous attackers.

Crypto Deep Tech, a cybersecurity research firm, has already proven its ability to forge transaction signatures using the chip’s flawed message hashing and to extract private keys from the chip.

Indeed, its white hat hackers decrypted the private key of a real wallet containing 10 BTC.

Read more: Explained: Benefits and drawbacks of a crypto wallet passphrase

Compromised microchip ESP32 puts bitcoin wallets at risk

Bitcoin self-custodians and companies around the world are taking the bug seriously. Not only does the chip have an extensive list of vulnerabilities, but billions of devices around the world already contain it.

Sadly, ESP32’s weaknesses are already physically installed in so many networks that secure value, including BTC, private data, and other computer-secured property. As such, the bug is gaining alarming prominence among cybersecurity practitioners.

In the meantime, white hat researchers are continuing responsible disclosure and have already flagged the bug as a possible vector for state-level theft.

Got a tip? Send us an email or ProtonMail. For more informed news, follow us on X, Instagram, Bluesky, and Google News, or subscribe to our YouTube channel.