Skip to main content
T TON Adoption
RU
← Glossary
NODE/03 · Term

Hardware wallet

Physical device that stores private keys in an isolated chip and signs transactions offline. Protects funds from malware on the host computer and is considered the standard for cold storage of crypto assets.

Aliases: hardware wallet, cold wallet, hw wallet

Hardware wallet is a dedicated USB or Bluetooth device whose secure chip stores the private key. All transactions are signed inside the device, and only the finished signature ever leaves it. The private key itself never exits the wallet — not even when the device is plugged into a compromised computer.

Models that work with TON

  • Ledger Nano S Plus, Nano X, Stax — the main lineup with TON support, both through the TON app in Ledger Live and via Tonkeeper’s Ledger bridge (Tonkeeper desktop or mobile recognises a connected Ledger as a signer).
  • Tangem — chip cards with TON support, convenient for offline cold storage and gifting.
  • Keystone — air-gapped wallet with QR-based signing, supports TON through third-party integrations.
  • Trezor — at time of writing Trezor has no native TON integration; Trezor owners typically reach TON through third-party tooling with caveats. Confirm the current status on the vendor’s site before buying specifically for TON.

Before purchasing, it is worth checking compatibility on the page of the wallet app you plan to use as the bridge. Tonkeeper and MyTonWallet typically maintain an up-to-date list of supported hardware options.

Signing workflow

  1. The user initiates a transaction in Tonkeeper or Ledger Live on a computer or phone.
  2. The app builds an unsigned transaction and sends it to the device over USB or Bluetooth.
  3. The device’s screen shows the key fields: amount, destination address, message type. This is the critical moment — the user must verify what is displayed on the hardware, not what is shown on the computer.
  4. The user presses a physical confirmation button. The chip inside signs the transaction with the private key.
  5. The finished signature returns to the app, which broadcasts the transaction to the network.

An attacker may swap the address in the host UI (via clipboard hijacking or a compromised website), but cannot change what is rendered on the Ledger screen itself. That on-device check is therefore not a formality but the primary line of defence.

What it protects against

  • Stealers and infostealers. Malware that harvests seeds and keys from browsers and files cannot reach the secure chip.
  • Clipboard hijacking. Replacing an address during paste is caught by reading the address back on the device screen.
  • OS-level supply-chain attacks. Even a fully compromised Windows machine cannot extract the private key.

Limitations

  • Multisig in hardware is constrained. Native TON multisig is not implemented in most hardware devices. In practice the hardware wallet acts as one signer via the Tonkeeper bridge, and the multisig logic itself lives in the smart contract.
  • The seed is still the ultimate single point of failure. A hardware wallet protects against remote attacks but not against a leaked seed phrase. If the backup seed gets photographed into a synced gallery, the device no longer helps.
  • Cost and UX. Devices cost 60-300 USD, and each transaction requires a physical confirmation step.
  • Counterfeit risk. Buy only from official channels. Tampered Ledgers with a preloaded seed phrase show up on marketplaces regularly.

For balances you cannot afford to lose, a hardware wallet is the standard recommendation. Active traders often keep a small hot non-custodial wallet on the phone for day-to-day operations and store the bulk of assets on hardware, connecting via TON Connect to dApps as needed.

Related terms