Ledger Community Erupts! $10 Per Transaction Fee for Cold Wallet Transfers — Is It Reasonable?
GM,
According to Tuesday’s poll results, this article will once again feature human narration. I personally prefer reading my own work aloud, though it does take extra time to record — unlike AI-generated audio, which is much easier 😂. Still, I’ll keep exploring AI tools to see if there’s a balance between efficiency and a human touch. Now, let’s dive in.
Ledger, the leading hardware wallet manufacturer, is in hot water again. The company had previously faced backlash over a user data leak and the launch of its cloud backup service 1, and now its new Ledger Multisig feature has sparked another wave of controversy.
The feature promises a more convenient multisignature experience — but with a catch: it charges per transaction. Each transfer will cost users either $10 or a 0.05% transaction fee, whichever is higher.
Although most users won’t use multisig and thus won’t be affected, the pricing model still angered many. For advanced users, it feels like being charged twice — once when buying the hardware wallet, and again every time they send a transaction. Even more frustrating, the hardware wallet — once prized for being fully offline and self-managed — now acts like a cloud service that pops up to collect tolls every time you move your coins. In this article, we’ll explore why Ledger made this decision, what problem it’s trying to solve, and how users should think about choosing a hardware wallet going forward.
Bybit Hack
Let’s rewind to the late night of February 21, 2025.
Bybit, the world’s second-largest crypto exchange, saw its multisig cold wallet hacked by North Korean attackers 2. Over 400,000 ETH — worth approximately $1.4 billion USD — were stolen. The loss not only set a new all-time record, but was 2.5 times larger than the previous second-largest hack. So far, only $63 million has been frozen. In other words, 95.5% of the stolen assets remain in the hackers’ hands, most of which have long since disappeared without a trace.
Subsequent investigations revealed that Bybit’s private keys were never stolen — the real issue lay in the system architecture itself. Bybit had been using what was then considered the industry’s most secure configuration: the Safe multisig system 3 paired with Ledger hardware wallets. However, there was a critical vulnerability between the two.
At the time, Bybit CEO Ben was performing a routine treasury operation. Safe served as the user interface for initiating transactions on a computer, while Ledger — as an offline device — provided a second layer of verification during signing. Ben first entered the transfer details on the Safe web interface, then manually connected his Ledger and confirmed the transaction on its separate display before signing.
The problem was that Ledger did not yet support “Clear Signing 4.” The hardware wallet’s small display could not show the complex details of a multisig transaction — only an indecipherable string of characters. In other words, Ben was blind signing: unable to verify what he was approving, but forced to press “Confirm” nonetheless.
Even though each transaction was shown on both the Safe web interface and the Ledger’s independent screen, the setup failed catastrophically: the web interface had been compromised by hackers, and the Ledger screen only showed gibberish. The signing process effectively became:
Hacker alters the Safe website → Signer trusts the interface → Ledger signs the tampered transaction. And just like that, Ben unknowingly signed off on transferring 400,000 ETH straight to North Korean hackers.
The incident shattered what had long been seen as the gold standard of multisig cold storage, and it made “blind signing” a problem the entire industry urgently needed to solve. In the aftermath, many wallet manufacturers released updates introducing Clear Signing, allowing individual users to see full transaction details before signing.
However, these updates mostly covered simple transactions. For organizations using Safe’s multisig system, the issue persisted — because multisig transactions involve smart contracts and multiple signers, Ledger devices still couldn’t properly parse and display their contents, showing only random code. That vulnerability was finally fixed just last week.
Ledger Multisig
Ledger has announced the launch of its new Multisig feature, allowing users to complete full multisignature operations directly on their Ledger device — without ever opening the Safe website. According to the company, this is the fundamental solution to the blind signing problem, marking Ledger’s transition from a mere hardware wallet to a fully integrated secure software-and-hardware platform.
The clearest way to understand Ledger’s new feature is to compare it directly with the Bybit hack. Ben lost 400,000 ETH to hackers because the signing process relied too heavily on the user’s own security awareness. The operator had to manually verify that the information shown on Safe and on Ledger matched. From a cybersecurity perspective, having two independent systems that can cross-check each other is the most secure design. But from a UX (user experience) perspective, that kind of friction easily leads to mistakes. Ben’s failure came precisely at that step.
Ledger’s new feature removes all those “you have to know what you’re doing” steps — instead, the message is: “Just trust Ledger.” Previously, users had to first create a transaction on Safe, then switch to their Ledger device to sign it. Now, Ledger has fully integrated Safe’s multisig mechanism into its own interface. Users can both initiate and sign transactions directly on the same Ledger device, with all details displayed on a single screen.
By removing one layer of switching, there’s one less chance to make a mistake.
But that also means Ledger is taking on all the risk itself. Cold wallets are built on trust. People buy them because they believe the company behind them can maintain strong defenses.
However, this new feature isn’t free — nor is it subscription-based. Instead, Ledger has introduced a rare “per-transaction fee.” Every transaction made using the Ledger Multisig feature costs either $10 per transfer or 0.05% of the transaction amount.
Once the announcement dropped, the community erupted.
Among the critics, Sebastian Bürgel, CTO of GnosisDAO, summed it up best: “Security should not be a paid upgrade. Charging users for it is like taxing their right to be safe.” He also discovered that Ledger’s front-end interface was sending tracking data to third-party services without user consent. Others accused Ledger of betraying the cypherpunk ethos by turning multisig users into cash cows. In my view, the real controversy isn’t about the $10 fee — it’s about the cultural clash behind it.
Cultural Clash
Personally, I don’t find Ledger’s new pricing model all that objectionable. It’s a bit like Tesla — the car runs fine out of the box, but if you want advanced features, you pay to unlock them.
In reality, the vast majority of Ledger users won’t be affected. Only advanced users familiar with the Safe multisig mechanism need to pay attention. If you don’t want to pay, you can still do things the old way — initiate the transaction on Safe, then sign it using your Ledger device. But if you want an all-in-one, seamless experience, Ledger’s new service is undoubtedly more convenient.
The irony is that in the Web3 world, “convenience” and “sovereignty” often stand in tension. People buy hardware wallets precisely to control their own assets — to avoid being charged fees or subject to platform approval. Now, Ledger is introducing a new middle ground: users still self-custody their private keys, but if they want greater convenience, they’ll have to pay for it.
It’s like upgrading from a gasoline car to an electric vehicle. In the old model, once you bought the car, it was fully yours — its best version existed the day you drove it off the lot, and it would only age from there. But EVs are like smartphones: a blend of hardware and software that can be continuously updated — and whose manufacturers can decide which features require extra payment.
I think Ledger’s recent controversies all stem from this transition from a pure hardware product to a hardware–software integrated platform. Its business model is shifting from one-time purchases to ongoing, service-based revenue.
This creates a win-win — new features generate recurring income for the company, while users get a more complete experience. Unfortunately, this also clashes with Web3 culture. A cold wallet has always symbolized “I don’t trust anyone.” Now users are being asked to trust Ledger again. No wonder some accuse Ledger of profiting from disaster, since this feature was introduced in the aftermath of the Bybit hack. When community anxiety turns into a business opportunity, it might make sense — but it still feels uncomfortable.
To me, Web3 isn’t about absolute decentralization — it’s about giving people the freedom to choose between convenience and autonomy based on their needs. I admire Ledger’s courage to explore new models that make those two ideas less binary. In the future, when people pick a hardware wallet, the discussion won’t just be about open-source code or technical specs — it’ll also involve pricing models and trust relationships. Ledger sells trust in its brand; Trezor emphasizes open source.
But if you ask me personally, I don’t fully trust Ledger — and I haven’t yet seen a killer feature worth paying for. I’m fine waiting — you go first.
1 Ledger Recover: The Hot Backup Paradox of Cold Wallets
3 Safe Multisig Wallet: A Smarter Vault That’s Even More Secure Than a Cold Wallet
