With the increasing popularity of cryptocurrencies such as Bitcoin, there is now a variety of different wallet solutions and products available. Wallet in this context refers to any device or piece of software which store secret keys. Those secret keys are typically used to create and sign transactions (payments, smart contracts, etc.) using ECDSA.
Wallet implementations range from simple open-source software to hardware tokens. Some solutions store the keys in files (possibly encrypted with a passphrase), while others use hardware-based cryptography modules. Hardware-based key storage comes with a lot of advantages. The chips are designed to make it hard to extract keys.
What is often overlooked is that it is hard to verify that the wallet actually does what the manufacturer claims it does. One obvious solution is to not connect the wallet to a computer with Internet access in order to avoid exposure of secrets. However, there are possible cryptographic backdoors called kleptograms that can hide the secret information within the published signatures in a way that is provably undetectable.
The kleptographic attacks were first discovered by Adam Young and Moti Yung in 1997 for classic DSA. The author of this talk has investigated the relevance of this attack for ECDSA in the context of Bitcoin. Note that this attack is not limited to Bitcoin and might be relevant for other ECDSA-based protocols as well.