Onchain investigator ZachXBT has criticized hardware wallets as “complete garbage,” saying he does not advise using them and calling Ledger the worst among major providers, according to social-media posts circulating in the crypto community.
The comments, reported by Wu Blockchain and reshared by users on X, came after ZachXBT highlighted another large theft involving a hardware-wallet user. The Defiant reported that ZachXBT said a victim lost more than $282 million worth of Bitcoin and Litecoin in a social-engineering scam on January 10, involving about 2.05 million LTC and 1,459 BTC. The attacker reportedly converted stolen funds into Monero through instant exchanges and used Thorchain to move Bitcoin across networks.
ZachXBT’s statement cuts against one of crypto’s most common security recommendations: use a hardware wallet to avoid keeping private keys on an internet-connected device. Hardware wallets are generally marketed as safer than software wallets because they keep seed phrases and transaction signing isolated from ordinary computers and phones. But ZachXBT’s criticism focuses on a different risk: hardware wallets do not protect users from bad operational security, fake apps, supply-chain leaks, social engineering or transaction-approval mistakes.
That distinction is important. A hardware device can protect a private key from ordinary malware, but it cannot stop a user from entering a seed phrase into a phishing site, approving a malicious transaction, buying a counterfeit device or becoming a target because their personal data was exposed through a vendor or payment processor.
Security Device, Human Target
The latest debate shows how crypto self-custody has evolved from a technical problem into a human-security problem. Hardware wallets can reduce one category of risk, but they often create another: users become responsible for backup storage, seed phrase secrecy, address verification, device authenticity and physical privacy.
ZachXBT’s criticism of Ledger appears to be shaped partly by the company’s long history of privacy controversies and phishing risk. In January, Bit2Me reported that ZachXBT warned of another Ledger-related data exposure involving Global-e, an external payment processor used in Ledger’s sales process. The report said the breach exposed personal information such as names, emails, phone numbers and physical addresses, while noting that users’ private keys and funds were not directly compromised.
That type of breach can still be dangerous. Once criminals know that a person purchased a hardware wallet, they can target them with tailored phishing emails, fake support messages, SIM-swap attempts or even physical intimidation. For high-net-worth crypto holders, identity exposure can be as serious as software vulnerability.
Ledger has also faced years of scrutiny over phishing campaigns, counterfeit devices, fake Ledger Live applications and its controversial Ledger Recover feature, which drew backlash from users worried about key-recovery infrastructure. The company has repeatedly said its devices are designed to keep private keys secure, but critics argue that the broader Ledger ecosystem has exposed users to persistent social-engineering risk.
Self-Custody Needs Better Standards
The controversy does not mean hardware wallets are useless. For many users, a genuine hardware wallet bought directly from the manufacturer and used correctly remains safer than storing funds on an exchange or software wallet. But ZachXBT’s blunt assessment reflects frustration with how hardware wallets are often marketed as a complete security solution rather than one layer in a broader custody strategy.
The $282 million theft illustrates that point. The reported attack was not described as a cryptographic break of a hardware device. It was a social-engineering scam. That means the weakness was not necessarily the device itself, but the operational environment around it: communication channels, user behavior, transaction flow and attacker deception.
For investors, the practical lesson is that self-custody requires layered controls. Large holders may need multisignature wallets, separate signing devices, address allowlists, transaction simulation, dedicated offline machines, physical security precautions and strict rules against entering seed phrases anywhere except on the device itself.
For wallet manufacturers, the message is more uncomfortable. The industry can no longer rely on “not your keys, not your coins” as a simple marketing line. If users are routinely drained through phishing, fake software, leaked customer data and confusing signing flows, then the self-custody experience remains too fragile for mainstream adoption.
ZachXBT’s comments are harsh, but they capture a real shift in crypto security. The question is no longer whether hardware wallets can protect private keys in theory. It is whether ordinary users can survive the entire threat environment around them.







