This article explains why sometimes you may see unknown NFT in Ledger Live being sent without your approval.
Address Poisoning Attack
Some users may see some outgoing transactions of unknown NFTs from their wallets. These transactions are part of so-called address poisoning attack scams.
Very important to understand that these NFTs were not on your address in the first place and your address/account is not at risk.
How it works
- The scammer creates a smart contract of this malicious NFT.
- Next, scammer "mints" NFT to thousands of addresses they take from the blockchain explorers. Within the same function as the malicious smart contract, they use a special function to transfer the NFTs from these addresses.
- As a result, you see the outgoing transfer of this NFT from your address though this NFT was never on your address/account in the first place.
Example
If we dive into these transactions and how they look on a blockchain explorer, we will see the following:
If we check the last 3 transactions, it may look like an OUT transfer though there is no IN transfer of the same ERC-1155 NFT. Thanks to the smart contract function, it was possible to emulate it to look like a transfer out but the NFT was never there in the first place.
How to be safe
Here are the recommendations on how to remain safe and not put yourself at risk
- Ignore these transactions and don't open the links they may contain.
- Do not copy the addresses from these transactions. Very often these scam transactions may contain addresses very similar to yours and by mistake, some users send funds to these addresses.
- If you only received an unknown NFT, here are our recommendations on how to interact with this NFT.
- Never share your 24-word recovery phrase if you ended up on some website or app that looks similar to the official. We will never ask you to compromise yourself by sharing the 24-word recovery phrase.
- Never sign anything you are not sure about. Always remember, if something looks too good to be true, it usually is.