When a hardware wallet is no longer secure

"End of life" for a hardware wallet is not a marketing event. It is the moment the manufacturer stops shipping firmware patches for a model — at which point any vulnerability discovered after that date stays open. The original Ledger Nano S (not the Plus) reached EOL in late 2024. The Trezor One was deprecated in early 2025 in favor of the Safe 3. KeepKey support has been on life-support since ShapeShift sold the brand.

If you are still using a device on this list, the urgency is not "panic and move funds tonight" but "plan a migration within 90 days."

The four-question test for whether your device is still safe

  • When was the last firmware update? Check the manufacturer's release notes. If the most recent release is more than 18 months old and the manufacturer has launched a newer model in the meantime, treat your device as EOL even if it is not formally announced.
  • Is the secure element still considered current? ST33K1M5 (Ledger Nano S Plus, Stax) and Optiga Trust M (Trezor Safe 3, Safe 5) are current. ST31H320 (original Nano S) and ARM TrustZone-M (KeepKey) are aging out.
  • Does the desktop app still receive updates? Ledger Live and Trezor Suite are the connective tissue. If the desktop client no longer ships updates for your device, the chain is broken even if the device hardware is fine.
  • Is the manufacturer still solvent? Coinkite (Coldcard) — yes. Ledger, Trezor — yes. Several niche brands from 2018–2020 have gone quiet. A hardware wallet from a dead company is one supply-chain incident away from unrecoverable.

The migration playbook

Buy a new device from the manufacturer's own website. Initialize it. Generate a fresh seed (do not reuse the EOL device's seed — the migration is also a good moment to refresh). Move funds in descending order of size: highest-value asset first, lowest-value last, to minimize tail risk during the transition window.

If the EOL device's seed has never been entered into a computer screen — only the device itself — you can technically continue holding the seed in long-term cold storage as a backup for several more years. But the hardware should not be used for new transactions.

The "ship of Theseus" rule

Every 3–5 years, the entire custody stack should refresh: device, seed, passphrase, recovery plan. Not because anything is broken — because the threat model evolves. The attacker in 2030 will not look like the attacker in 2024. A custody plan that works against the 2024 attacker may have blind spots against the 2030 one. Scheduled refreshes are how you stay current without depending on a single incident to trigger the move.