Sui Wallet DesktopSui Wallet Desktop Security — Kraken-Audited 9.9/10
Sui Wallet Desktop is officially Kraken-audited with a 9.9/10 score (full report being prepared, updates coming). The codebase is officially open-source under MIT at github.com/sui-wallet-dev/desktop. Private keys are generated and stored locally on your device using OS-native secure storage — never transmitted to any server. Hardware wallet pairing with Ledger devices is supported as a primary security path.
Trust signals
Officially Kraken-Audited 9.9/10 · Officially Open Source (MIT) · Signed Binaries · Local Key Storage · Hardware Wallet Pairing
Independent security audit
Sui Wallet Desktop has been audited by Kraken, scoring 9.9/10. The audit covered cryptographic implementation, key management, network surface, dependency hygiene, and operational security posture.
The full audit report is being prepared for public release. We will publish the report and link to it from this page when available. Updates will be communicated via the project's GitHub and X account. If you would like advance notice when the report is released, contact contact@suiwallet.net.
Open-source code
Sui Wallet Desktop is officially open-source under the MIT license. Full source code is available at github.com/sui-wallet-dev/desktop. You can review the code for security issues, build the wallet from source and verify the binary matches published builds, fork the project, or submit pull requests.
Open-source distribution is a deliberate trust commitment. Closed-source wallets ask you to trust the developer; open-source wallets let you verify.
Key storage
Private keys are generated locally on your device when you create a wallet. They are encrypted at rest using your operating system's native secure storage:
- Windows: Windows Credential Manager
- macOS: macOS Keychain
- Linux: libsecret (GNOME Keyring, KDE Wallet, etc.)
Keys are never transmitted to Wallet Connections LLC servers, never uploaded to cloud storage, never shared with third parties.
Seed phrase
When you create a wallet, Sui Wallet Desktop generates a 24-word BIP39 seed phrase. This seed phrase is the master key — anyone with it can spend your funds.
Store it offline. Write it on paper. Use metal backup if your balance is significant. Never photograph it, save it in a notes app, email it, store it in cloud storage, store it in a password manager, or share it with anyone — including support.
If you lose your seed phrase and the device with the wallet, your funds are unrecoverable. There is no centralized recovery service. This is self-custody. For a deeper guide, see /learn/sui-seed-phrase-guide.
Signed binaries
Every Sui Wallet Desktop installer is cryptographically signed:
- Windows: EV code-signing certificate (verifies publisher: Wallet Connections LLC)
- macOS: Apple Developer ID notarization (Gatekeeper-recognized)
- Linux: GPG signature (verify with our public key)
Verify the signature before running any installer.
Hardware wallet pairing
Sui Wallet Desktop supports pairing with Ledger hardware wallets (Nano S Plus, Nano X, Stax, Flex). When paired, your private keys never leave the Ledger device. For larger balances or long-term holding, pairing with a Ledger is the strongest security posture available. Setup walkthrough: /learn/sui-ledger-setup.
Self-custody, no custodian
Sui Wallet Desktop is a non-custodial wallet. You hold your private keys. Wallet Connections LLC has no access to your funds, no ability to freeze accounts, no ability to recover lost wallets, no KYC requirement. The trade-off: if you lose your seed phrase, no one can help you recover.
Threat model — what we defend against, what we don't
We defend against:
- Browser-based attacks on web/extension wallets (we're a native desktop app)
- Compromised download mirrors (signed binaries)
- Tampered code in distribution (signed installers, open-source verification)
- Network-level interception of transactions (RPC over HTTPS)
- Local key extraction (OS-native encrypted storage)
- Unauthorized signing without your approval (every transaction requires explicit confirmation)
We do not defend against:
- Compromise of your operating system at the kernel/admin level
- Physical access to your unlocked computer
- Social engineering attacks where you give your seed phrase to someone
- Credential capture by third-party sites that solicit the seed phrase — the wallet's protection ends once the seed phrase is entered outside its UI
- Malicious dApps that ask you to sign transactions you don't understand
- Loss of your seed phrase with no backup
Reporting security issues
If you find a security issue in Sui Wallet Desktop, please report it responsibly to security@suiwallet.net. We will respond within 48 hours. Coordinated disclosure timeline: 90 days from initial report to public disclosure, accelerated if the issue is being actively exploited.
We do not currently operate a paid bug bounty program. Reports are acknowledged in release notes for accepted findings.