Two Trezor hardware wallets beside a physical Bitcoin coin.

ZachXBT Called Hardware Wallets ‘Complete Garbage.’ Trezor Says the iPhone Has Its Own Problem

July 17, 2026 7:10 pm Comments

A hardware wallet can keep private keys off an everyday computer. It can also be dead, updating or refusing to connect at the exact moment its owner needs to sign.

That collision between security theory and operational reality is behind an unusually blunt fight over crypto self-custody.

Onchain investigator ZachXBT called current hardware wallets “complete garbage” and recommended a separate iPhone used only as a wallet. Danny Sanders, Trezor’s chief commercial officer, answered that a stripped-down iPhone is still a networked, general-purpose device.

No new exploit started this argument. Both sides are attacking the other setup’s failure modes.

ZachXBT’s complaint is about the transaction that cannot wait.

In his original Telegram post, ZachXBT said he would not use current hardware wallets for important signing or large balances. He singled out Ledger for criticism and argued that a dedicated iPhone—with no ordinary social, browsing or communication use—would be more dependable.

His case is less about extracting a seed from a chip than about batteries, cables, firmware, companion software and changing interfaces. A device that sits untouched for months can wake up several versions behind, while the web application it must connect to may have changed its own requirements.

That can turn an urgent transaction into a chain of updates and troubleshooting. For an onchain investigator, security team or fund moving assets during an exploit, every added dependency can become a point of failure.

The dedicated-phone idea tries to reduce that friction without putting the wallet on the phone used for texts, social apps and casual links. It is still a hot wallet, but it can be a much colder hot wallet than the device in someone’s pocket all day.

ZachXBT later made the operational case more concrete on X:

Trezor’s answer is that convenience does not erase the phone’s attack surface.

In a Friday interview with The Block, Sanders conceded that hardware-wallet tools can be clunky and that updates can interrupt high-value transactions. He also said sophisticated users may need more than one device or setup, rather than pretending one piece of hardware solves every custody problem.

His objection is architectural. Even a spare iPhone contains radios, a large operating system and general-purpose software designed to communicate with the outside world.

Removing the SIM and most apps can reduce exposure, but it does not turn the phone into a purpose-built signer.

A hardware wallet creates a second trust domain. The computer or phone prepares a transaction; the dedicated device holds the key and displays what it is about to sign.

That separation can be valuable when malware changes a destination address on the host screen. It can also protect the seed from a compromised wallet application, provided the seed was generated and backed up correctly.

Sanders’ practical answer was not that power users should blindly trust one Trezor. It was that a stripped-down iPhone can be one part of an advanced system, while a dedicated signing device remains the strongest default for the average self-custody user.

The little screen is the hardware wallet’s strongest argument—and its most ignored feature.

Trezor’s trusted-display documentation says the device screen is meant to show transaction information independently of the connected computer or phone. If malware replaces a copied receiving address, the address shown on the hardware wallet should expose the mismatch before the user approves it.

That protection is not automatic. The owner must actually compare the address and amount on the device, understand what the transaction is doing and refuse to sign when the two screens disagree.

A hardware wallet cannot save someone who taps through a malicious approval without reading it. It also cannot repair a poisoned backup, a seed typed into a fake application or a passphrase the owner has forgotten.

The security model is powerful because the signer is separate. The user remains part of the model.

The iPhone is not a security-free slab of glass.

Apple’s platform-security documentation describes a hardware root of trust, secure boot and a Secure Enclave isolated from the main application processor. Recent iPhones use dedicated hardware to protect encryption material and biometric data, while code signing and application sandboxing add more layers above it.

Those protections are one reason a rigorously configured spare iPhone can be safer than an ordinary daily-use phone. A long passcode, current software, minimal applications and disabled cloud or messaging features can remove many common paths to compromise.

They do not make the phone identical to an offline signer with its own transaction-confirmation screen. The iPhone still runs a broad operating system, and the wallet application still determines how keys are created, stored and used.

The comparison is not “secure hardware versus no hardware.” It is a purpose-built trust boundary versus a highly secured general-purpose computer.

Passphrases expose another tradeoff that neither device can make painless.

The BIP39 specification allows a mnemonic to be combined with an optional passphrase to derive the wallet seed. Every passphrase produces a valid seed, which can create separate wallets from the same recovery words without revealing whether another wallet exists.

That can limit the damage if someone finds the written mnemonic but does not know the passphrase. It also creates a brutal failure mode: there is no “wrong password” message, because a typo simply opens a different, empty wallet.

Forget the passphrase and the funds may be permanently unreachable. Store it beside the recovery words and much of the separation disappears.

Roman Storm argued that the dedicated-phone idea becomes more convincing when mobile wallet software supports strong passphrase handling and air-gapped signing. His response also shows why the debate cannot be reduced to buying one device and checking a box.

The best custody setup is the one that fails gracefully.

For long-term savings that move rarely, a reputable hardware wallet, an offline backup and deliberate on-device verification remain a strong combination. A second tested device can protect against battery failure, damage or a surprise update.

For a security team that must move funds during an active attack, a dedicated phone may provide faster access. That speed should come with a threat model, strict configuration and a rehearsed recovery path—not the assumption that “spare” automatically means safe.

Large balances also should not depend on one signer, one vendor or one person’s memory. Multisignature arrangements and organizational controls can distribute risk, though they add coordination and recovery complexity of their own.

The unglamorous work matters most: test the setup before an emergency, keep firmware and companion software current on a controlled schedule, verify backups without exposing them and know exactly which screen is trusted.

ZachXBT is right that a secure device which cannot complete the transaction is a real operational failure. Trezor is right that replacing a dedicated signer with a general-purpose phone trades one set of risks for another.

The argument is useful because it punctures the industry’s favorite fantasy: that custody becomes safe the moment a user buys the right gadget.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.