Use Coldcard as the offline parent of a separate Tangem wallet by deriving a dedicated BIP-85 child mnemonic. Never import your Coldcard master seed. The parent stays on Coldcard; Tangem receives one child for the stablecoins and other networks you choose to keep there.
Tangem has an important difference from devices with a screen and keypad: its hardware is screenless, and seed import happens through the Tangem app on a phone. The phone therefore sees the child during setup. BIP-85 keeps that exposure away from the Coldcard parent, but it does not make the Tangem child air-gapped from the phone.
Verified scope: This guide targets current Tangem Hardware Wallet cards and rings that support BIP-39 import. It does not cover Tangem Mobile Wallet or assume that older Classic cards support seed import. Tangem hardware setup, import, and backup behavior were checked against official sources on July 13, 2026.
Why keep Tangem for other assets?
Coldcard is deliberately Bitcoin-only. Many users still need dollar stablecoins, a network used for work or payments, or a token and app integration that Coldcard will not support.
Tangem supports assets and tokens across multiple networks and lets users add supported networks or custom tokens in its mobile app. That broad compatibility and card-sized NFC workflow can be a practical reason to keep Tangem while Bitcoin savings remain under a separate Coldcard wallet.
The broader scope has tradeoffs. More networks, token contracts, dApps, bridges, companion services, and transaction formats mean more decisions and a larger surface to verify. A dedicated child does not erase those risks. It prevents the Tangem recovery secret from also being the Coldcard master.
Every asset derived from the Tangem child still shares one compromise domain. If the child leaks, assume every associated network and token account may be exposed.
Decide whether this design fits Tangem
Tangem offers a valid seedless design: the key is generated inside a card or ring and copied to a set of two or three Tangem devices. No human-readable mnemonic needs to be typed into a phone or stored on paper.
A Coldcard-derived child makes a different trade:
| Design | Main advantage | Main cost |
|---|---|---|
| Tangem seedless setup | No mnemonic is exposed during setup; equivalent devices provide redundancy | Recovery depends on the surviving Tangem set rather than a standard seed |
| Coldcard BIP-85 child | The same parent context and index can reproduce a standard child mnemonic | The child is entered into the phone app, and compromise of the parent reaches every child |
Choose BIP-85 only when deterministic recovery under a Coldcard parent is worth that phone exposure and concentrated parent risk. If your rule is “no seed words ever enter a phone,” use Tangem's native seedless setup or a different device with seed entry on trusted hardware.
Use a child seed, not the master
Entering the Coldcard master words in the Tangem app would expose the root of the Coldcard wallet to a phone and a broad multi-chain environment. It would also make one phrase responsible for both Bitcoin savings and every Tangem account.
Use this hierarchy instead:
Coldcard parent
└── BIP-85: BIP-39 / English / 24 words / index N
└── Tangem child
├── Tangem card or ring A
├── Equivalent backup device B or C
└── Selected network and stablecoin accounts
The same parent context and index reproduce the same 24 words. A compromised child cannot reveal the parent through the BIP-85 construction. A compromised parent can reproduce this Tangem child and every sibling.
This is seed provisioning, not multisig or two-factor signing. After import, any device in the Tangem set can sign for the child without Coldcard.
Verify the Tangem devices and app
Install the official Tangem app from the platform store linked by Tangem. Scan each card or ring before entering the child.
The app should authenticate the Tangem chip and firmware. An unused device should present Create Wallet. If a newly purchased device reports that it is already activated, do not enter the child. The conservative response is to return or exchange it; Tangem also documents factory reset for previously activated devices.
Tangem's authenticity check confirms an important starting condition. It does not verify the phone, destination address, selected network, token contract, dApp request, or future transaction.
Tangem states that its app is open source, while the hardware-wallet firmware is not. The firmware is loaded once and cannot be updated. Treat that as a fixed design tradeoff: it removes firmware-update events, but a shipped device also cannot receive a firmware security fix.
Account for the July 2026 physical attack
On July 9, 2026, Ledger Donjon published a laser fault-injection attack that reset the access password on a Tangem card without the old password or a backup card. The researchers say the attack affects cards currently in circulation, still works when access-code recovery is disabled, and cannot be patched because Tangem firmware is not updatable.
This is not an ordinary wallet theft. The demonstration required physical possession, invasive card preparation, advanced hardware-security expertise, and specialized laboratory equipment that Donjon valued at about USD 250,000. Tangem acknowledges the laboratory attack but argues that its cost, destructive setup, and difficulty make the practical risk to everyday users “virtually non-existent.” The Block's report presents both positions.
The balanced conclusion is operational: keep equivalent Tangem devices in separate locations, do not label a card with identity or value, and treat a lost, stolen, or seized card more urgently when an attacker may know who owns it or what it protects. For a targeted or high-value wallet, use a surviving device to move assets to a new wallet derived at a new BIP-85 index. Restoring another card with the old child does not revoke the missing card's signing authority.
A strong access code still matters against ordinary unauthorized use. It is not a mitigation for this laboratory fault-injection path.
Before you start
Use new, empty Tangem devices. Never reset a funded device until its existing recovery plan has been verified and every asset can be moved safely.
You need:
- a Coldcard Q or Mk5 with the intended parent;
- a verified backup of that parent;
- two or three compatible, empty Tangem cards or rings;
- the current official Tangem app on an updated NFC phone you control;
- a private workspace without cameras, observers, screen sharing, or recording;
- paper for the BIP-85 index and cross-chain recovery inventory;
- small amounts of the correct native fee assets for testing.
Prepare the phone before showing the child. Remove unneeded apps, close remote-access and screen-sharing tools, and do not use a clipboard, password manager, cloud note, screenshot, photo, or voice input for the words.
Tangem says phrase import can be completed without internet access, although creating the card backup later requires internet access to download card-authentication certificates. Offline import can reduce network exposure, but it does not change the central fact that the phone and app process the child.
Derive and import the Tangem seed
1. Confirm the parent context
Sign in to the Coldcard wallet that will act as the parent. Confirm its backup and make sure no unintended BIP-39 passphrase or temporary seed is active.
A passphrase-protected parent can be used, but recovery will require that exact passphrase. Record the context without writing the parent words beside the Tangem metadata.
2. Open BIP-85
Use the path for your model:
- Mk5 and Mk4:
Advanced/Tools > Derive Seed B85 - Q:
Advanced/Tools > Derive Seeds (BIP-85)
Choose BIP-39, English, and 24 words.
3. Assign a dedicated index
Choose one unused index from 0 to 9999. Do not reuse the index assigned to Trezor, Ledger, Keystone, Jade, SeedSigner, a family member, or any other purpose.
Record the recipe before continuing:
Purpose: Tangem multi-asset child
Parent context or wallet label: ________
Standard: BIP-85
Application: BIP-39
Language: English
Words: 24
Index: ________
Tangem devices in set: 2 / 3
Date verified: ________
The index is not a password, but losing the recipe complicates recovery and guessing indexes leaks privacy.
4. Display the child on Coldcard
Let Coldcard display the 24 child words. Do not export them by MicroSD, Virtual Disk, NFC, or QR for this workflow. Every extra digital copy creates another disclosure path.
Keep the words on the Coldcard screen and enter them directly into the Tangem app in a private room. Check every word and its position before submitting. Never use the Coldcard master backup as the source for this step.
5. Import through the Tangem app
In the current Tangem hardware-wallet flow:
- Tap Get started.
- Tap Scan card or ring and scan the first empty device.
- Choose Other options.
- Choose Import wallet.
- Enter the 24-word child manually.
- Leave the optional passphrase empty unless you deliberately designed and documented one.
- Recheck the words against Coldcard, then tap Import and scan the card/ring.
A child passphrase creates another wallet and another recovery secret. Do not add one casually to compensate for the phone exposure; it only helps if its generation, entry, backup, and recovery are all sound.
Create the Tangem device backup
Tangem will prompt you to add one or two empty backup devices. Decide whether the final set will contain two or three before you finalize it. Tangem permits this cloning step only once; if you finish with two devices, you cannot add a third later without resetting and recreating the wallet.
1. Add every intended device
Scan each empty card or ring when prompted and check its displayed identifier. Complete the backup only after the intended set is present.
All devices in the set are equivalent copies of the same key. “Backup card” does not mean a different cosigner, a second factor, or a separate BIP-85 child.
2. Set access codes deliberately
Use a strong, unique access code that is not the Coldcard PIN, phone passcode, BIP-85 index, birthday, or short reusable PIN. Tangem lets you set different access codes on devices after backup; that can reduce one shared-secret failure but increases recovery burden.
Decide whether access-code recovery through another device will remain enabled. Document the choice. Recovery requires another device from the same wallet, so keep at least two usable devices if that recovery path matters.
3. Separate the devices
Store the cards or rings in physically separate locations. Do not keep the whole set with the child mnemonic or the Coldcard parent backup.
If an attacker obtains two devices and access-code recovery is enabled, the backup relationship may help reset an access code. If an attacker has one device plus a strong code, ordinary misuse is harder—but the July 2026 laboratory attack is a separate physical threat.
Verify control before funding
1. Reproduce the child
Exit the first Coldcard display. Return to the same parent context and derive BIP-39, English, 24 words, at the recorded index.
Compare all words and their order with the setup record in private. A mismatch means the parent context, application, word count, language, index, or transcription is wrong. Do not fund the wallet until it is resolved.
2. Test every Tangem device
Open the Tangem app with each device in the set. Confirm that every card or ring opens the same wallet and can authorize a test action with its intended access code.
This checks the set's usability. It is not multisig validation because every device holds equivalent signing authority.
3. Add only required networks and tokens
Enable only the assets and networks you intend to use. For a custom token, obtain the contract or asset identifier from an authoritative project or issuer source and verify that the selected network matches.
A familiar ticker and logo are not enough. Scam tokens can reuse names, and a genuine stablecoin can exist on several incompatible networks.
4. Run a receive-and-spend test per network
For every network you plan to fund:
- Generate a receive address in the Tangem app.
- Confirm the sender is using the same network and compare the full pasted or scanned address with the Tangem app.
- Send a small amount first.
- Confirm it appears on the intended network.
- Send a small amount back, reviewing recipient, asset, network, amount, and fee before scanning the Tangem device.
The receive-and-spend cycle shows that the Tangem set can control the displayed account. It does not provide independent on-card address verification.
Tangem has no screen on the card or ring. Final transaction details are presented by the phone, so the card cannot independently confirm an address for you. For meaningful outgoing transfers, confirm the destination through a separate channel, use saved verified addresses where appropriate, and send a small amount first.
A successful Ethereum test does not prove a Tron, Solana, Polygon, Bitcoin, or other account. Test each funded path separately.
Document multi-chain recovery
The child mnemonic recreates deterministic key material. It does not remember which networks, contracts, accounts, paths, dApps, or app features you used.
Maintain an offline inventory for every funded account:
Tangem wallet label: ________
Tangem device identifiers and locations: ________
Asset and ticker: ________
Network: ________
Token contract or asset identifier: ________
Account number: ________
Derivation path, if known or non-default: ________
Verified receive address: ________
Native fee asset: ________
Required companion or service: ________
Access-code recovery enabled? ________
Last receive-and-spend test: ________
Stablecoin recovery makes this record essential. USDT or USDC on one network is not the same transfer path as the same ticker on another network. The child alone cannot tell a future recovery operator which contract and chain held the balance.
Store the inventory separately from the child words. It is privacy-sensitive but normally cannot spend without a signing device or mnemonic.
Plan for a missing card
If one Tangem device disappears but there is no reason to believe the wallet is targeted, assess the value, circumstances, and remaining recovery paths rather than panicking.
If it was stolen or seized, or the finder may connect it to you and a valuable wallet, use a surviving device to move every asset to a new wallet:
- Choose and record a new, unused BIP-85 index.
- Create a new Tangem child and new card set.
- Test the new accounts on every required network.
- Move assets, leaving enough native fee currency to complete each network.
- Revoke dApp approvals and update any allowlists or payment records tied to old addresses.
- Mark the old child and card identifiers as retired.
Do not merely restore the old child onto replacement cards. That preserves the missing card's signing authority over the same accounts.
Know the limits
The child passes through the phone
Coldcard generates the child offline, but Tangem import requires the child to be entered in the mobile app. BIP-85 protects the parent from that exposure. It does not make the child secret from the phone.
The card cannot verify its own display
Tangem's hardware has no screen. Address, network, amount, token, and contract review occurs on the phone. A compromised phone interface can therefore misrepresent what the user intends unless details are checked through another channel.
Fixed firmware has a fixed vulnerability surface
Tangem's non-updatable firmware removes malicious-update risk, but deployed flaws cannot be fixed in place. The July 2026 laser fault-injection result is a concrete example. Its practical cost is high; its unpatchability is still relevant to targeted physical threat models.
Equivalent cards are not multisig
Two or three Tangem devices improve availability, but each is a copy of the same key. One successfully unlocked or physically compromised card can authorize the wallet alone.
All Tangem assets share the child
If the child mnemonic is stolen, every account derived from it may be exposed. BIP-85 separates the child from the Coldcard parent; it does not isolate the child's networks from one another.
Stablecoins add non-key risks
A hardware signer protects keys. It does not remove issuer, address-blocking, freeze, redemption, smart-contract, bridge, liquidity, or network risk. This guide addresses seed custody and recovery, not the solvency or censorship resistance of a token.
The parent can recover every child
A stolen Coldcard parent backup and required passphrase context can reproduce the Tangem child and all siblings. Protect the parent for their combined value and privacy.
BIP-85 is not multisig independence
Do not derive several supposedly independent multisig cosigners from sibling indexes under one Coldcard parent. Generate cosigner seeds independently so one root compromise cannot recreate the quorum.
Native Tangem setup remains valid
Tangem's seedless card-backup model avoids entering a mnemonic into a phone. Use the BIP-85 design only when deterministic recovery under a Coldcard parent is worth the child exposure, metadata burden, and concentrated root risk.
Sources and verification
Verified on July 13, 2026. Recheck Tangem import screens, device compatibility, backup rules, supported networks, and published security research before publication.
- BIP-85: Deterministic Entropy From BIP32 Keychains
- Coldcard: Export Deterministic Entropy
- Tangem Hardware Wallet overview
- Tangem: Check wallet authenticity
- Tangem: Import a hardware wallet with a seed phrase
- Tangem: How device backup works
- Tangem: Access codes
- Tangem: Firmware and authenticity
- Tangem: Managing tokens
- Tangem: Sending cryptocurrency
- Ledger Donjon: Bypassing Tangem card security with a laser attack
- Tangem's response to the Ledger Donjon research
- The Block: Ledger researchers disclose Tangem card flaw; Tangem responds
- Tether terms: blocking, freezing, and recovery boundaries
- Circle USDC terms: blocking, freezing, and redemption boundaries
Related articles
How to Store a Seed Phrase
Plan physical storage for a child backup that can control several networks.
What Is a Bitcoin Passphrase?
Learn how an exact passphrase changes the parent context and recovery duty.