Duplicate transactions in trezor suite

Hi guys, there is an interesting situation.

About two weeks ago, I initiated a test transaction from via Trezor suite to my centralized exchange usdc account. It got stuck, and I forgot about it.

Today I opened my trezor suite and saw not one, but six instances of that transaction with that test amountbut with different addresses. None of these reached my centralized exchange account. Since the major bulk of usdc just sit there I thought that it was a glitch.

So today I’ve initiated another test transaction with small amount of usdc to the same centralized exchange account. Almost immediately I saw another one in my trezor suite with the same amount to a different address as well. And a third one with 0 amount of tokents which was marked by trezor suite as potentially fraudulent .

When I saw that the first actual test tx has reached the exchange, I’ve sent the rest of the sum to it as well. After some delay it arrived there.

I’ve never opened any links, nor downloaded anything fishy. I can consider myself as a pretty cautious user. I’m on Linux, all previous transactions were conducted via built in trezor suite exchange features. The only unusual thing I did was taking an unfamiliar exchange offering, but again solely inside the trezor suite.

What could that be?

Ticket ID: 167224

Probably the only thing that was worth some attention is quite a number of scam tokens in that address. Of course I did not visit their sites or interacted with them in any other way.

And for some reason I started seeing not one but four USDC addresses inside token selection dropdowns. One actual with assets, rest three empty.

Hi @vapor,

it is a so-called address poisoning attack, more information can be found here: https://trezor.io/support/a/address-poisoning-attacks and also in this post: I have had the impossible happen according to reddit, please help

Scammers start to use also transactions with values (since zero-value transactions are labeled as potentially fraudulent). As they cannot move the real token out of your account (they don’t have a necessary private key), they created a new contract with tokens that has no real value and uses the same token symbol and similar name to confuse the victim.

1 Like