This article describes a new type of scam called address poisoning that targets Ledger users.
TLDR;
- Beware of scammers sending small amounts of coins or NFTs to "poison" your Ledger Live transaction history.
- They may use Received transactions, NFTs or even dummy Sent or Fees transactions.
- Always double-check your transaction details on your Ledger device to avoid accidentally sending funds to the wrong address.
- Watch out, scam addresses might look very similar to your own.
- Never copy and paste an address from your transaction history.
- You can still use a poisoned account normally. Poisoning an account does not compromise its security.
- We recommend hiding unwanted NFTs in Ledger Live by simply right-clicking on the NFT and choosing Hide NFT Collection.
- Similarly, you can hide unwanted tokens by right-clicking on the token and choosing Hide Token.
Address poisoning is a scam that targets cryptocurrency users, including Ledger users. In this scam, an attacker "poisons" your account by sending you a small amount of crypto—usually USDT, MATIC, or TRX—or sometimes an NFT disguised as a voucher. In some instances, the scammer may even make it appear as if you've initiated a 'Send' transaction.
This deceitful transaction will then appear in your Ledger Live transaction history, and the scammer's address may be designed to resemble your own.
The scammer's hope is that you'll mistakenly copy their address from your transaction history and send funds to their account instead of a legitimate one.
Yes, address poisoning can take the form of a Received transaction or a "dummy" Sent or Fees transaction.
Scammers can create these dummy transactions by triggering a smart contract (like USDT) from any address, as long as the value transferred is zero and the fee is paid. Don't worry, no value was actually transferred from your account. These dummy transactions are meant to deceive you into believing that you sent funds to their address in the past.
Sophisticated scammers are able to use open-source software to craft addresses designed to look like your own Ledger address.
A sophisticated scammer might be able to craft an address that shares the same first four or five characters and the last four or five characters. This is why checking every single character is extremely important when sending or receiving crypto with your Ledger device.
Address poisoning can take place on any account-based blockchain like Ethereum. However, blockchains like Polygon, Tron or Binance Smart Chain are also frequently targeted because of their cheap transaction fees which make it easy to deploy the scam at scale to thousands of users.
No, blockchain networks are public so it's very easy for scammers to sample a very large number of addresses from any block explorer and poison these addresses.
The scammer did. The unwanted transaction was paid in full by the scammer who poisoned your account.
Yes, you can keep using a poisoned account normally. Poisoning an account does not compromise it. The only way to compromise your account is to share your 24-word recovery phrase with a scammer. Learn more.
Yes, but only if you avoid any interactions with them. Do not transfer or send an unwanted NFT to another account or a burn address; doing this will trigger the potentially malicious smart contract tied to the NFT. Instead, right-click on the NFT and select Hide NFT Collection to hide it from view.
Yes, but only if you avoid any interactions with the unwanted tokens. Do not transfer or send unwanted tokens to another account or a burn address; doing this will trigger the potentially malicious smart contract tied to the tokens. Instead, right-click on the token balance and select Hide Token to hide it from view.
Clicking or following a link embedded in a malicious NFT is not enough to compromise your wallet. The only ways your wallet can be at risk are if you share or type out your 24-word recovery phrase, or if you sign a malicious transaction with your Ledger device. However, a malicious link might direct you to a scam website that will try to trick you into sharing your recovery phrase or signing a harmful transaction that could give the attacker access to your accounts. When faced with an unwanted NFT with link, it's best to observe the following rules:
- Avoid any interaction with links or websites associated with the NFT
- Refrain from sending the NFT to another account or burner address
- Simply hide the NFT in LedgerLive by right-clicking on the NFT then selecting Hide NFT Collection
- Never share your 24-word recovery phrase or type it into any website or app.
While address poisoning cannot be stopped, it can be easily defeated by observing best practices with regard to sending and receiving crypto with your Ledger wallet:
- Receiving crypto: avoid grabbing your deposit address from your transaction history. Instead, always use the Receive button in Ledger Live then carefully check the address displayed in Ledger Live on your Ledger device. The addresses should match exactly. If they are different, immediately abort the transaction and contact support via the Contact us button on this page.
- Sending crypto: also avoid grabbing the destination address from your transaction history in Ledger Live. Before sending your coins out, always carefully verify that the destination address exactly matches the one displayed on your Ledger device. You might need to verify every single character, not just the first and last 4 characters.