Introduction
Address privacy is one of those topics that sounds abstract until you lose financial privacy on-chain. I remember the first time I reused an address to simplify bookkeeping: transactions started clustering, and tracking down an old payment became a headache. In my testing I’ve watched how small choices—like reusing a receive address—turn into long-term traceability problems.
This guide explains how address visibility works with a Ledger hardware wallet, why change addresses matter, and what on-chain analytics can (and cannot) reveal. Expect practical steps you can follow (step-by-step) and real trade-offs—because privacy often competes with convenience.
How address generation works
At a high level the device stores private keys in its secure element and derives public keys from your seed phrase (BIP-39). Wallet software then derives receive and change addresses from those public keys using standard derivation paths.
Short version: the hardware wallet keeps private keys offline. The companion app does the address generation and blockchain scanning. Longer version: the companion requests public keys (or reads them) and derives many addresses deterministically so it can show balances without exposing private keys.
Why does this matter? Because the device will show an address on its screen for you to verify. The host computer or phone usually has a list of addresses it generated. If those two match, you’re safe to receive funds.
What the device shows vs what others see
The device displays the address you should accept. Always confirm that string on the device screen before trusting a receive address shown in the app. I test this every time.
But what others see on-chain is different. Every address and every transaction output is public. If you reuse an address, anyone with a block explorer can connect payments to that address forever. If you frequently use the same receiving address, you lose privacy.
And yes, exchange withdrawals and merchant integrations sometimes encourage reuse for convenience. That convenience has a cost.
Address reuse: risks and real examples
Reusing addresses links all associated transactions together. That means your inflows and outflows can be clustered by analytics firms. Want an example? Suppose you receive payroll to one address and later spend from it; the inputs and outputs in a single transaction are often assumed to belong to the same owner. That heuristic exposes connections.
I’ve seen users who accepted recurring invoices to the same address end up with a public transaction history revealing income streams. Avoid reuse unless you understand the trade-offs.
Change addresses: how they work and how to verify (Step by step)
Change addresses receive the leftover funds when you spend. They are generated by your wallet software from the same account; they are not the receiving address you gave to someone.
Why check change? Because some wallets show the change address in the history, and others do not, which can confuse users into thinking funds moved to a known address.
Step by step: verify change addresses and receive addresses
- Open your wallet companion app and select the account. (See the ledger-live guide for a walkthrough.)
- Click "Receive" to generate a fresh receiving address.
- Verify the full address on the device screen before sharing it. If the addresses don’t match, cancel the operation.
- After spending, inspect the transaction details in the app or a block explorer to identify outputs. The output that returns the remainder is the change address.
- If you want extra certainty, export the raw transaction and check inputs/outputs with an independent tool (advanced users only).
If the companion software is showing a different address than the device screen, treat that as suspect and investigate.
Address analytics and deanonymization techniques
Blockchains are public ledgers. Analytics firms use heuristics like the common-input-ownership heuristic (assume inputs in a transaction belong to one wallet) and change heuristics (identify likely change outputs) to cluster addresses.
What can you do? Coin control and avoiding address reuse help. Coinjoin-style techniques can obfuscate history but add complexity and sometimes service risk. Multisig can improve security but also creates identifiable output patterns on-chain that analysts can spot.
Remember: no single tactic is perfect. What I've found is that layered strategies work best—small, consistent steps rather than one silver-bullet fix.
Privacy trade-offs: passphrase, multisig, and account structure
Passphrase (the so-called 25th word) creates hidden accounts. They can be powerful for privacy and plausible deniability, but they also introduce an extra point of failure: if you forget the passphrase, funds are irrecoverable. I believe passphrases are useful for advanced users who document them carefully.
Multisig increases security by requiring multiple keys to move funds. It can help privacy by splitting control, but multisig outputs are often recognizable on-chain which can reduce anonymity. Also, multisig requires compatible wallet software—see our multisig for ledger guide.
Smaller accounts and purpose-specific addresses (one account per type of income or service) can help compartmentalize your history. But compartmentalization adds operational overhead.
Practical checklist: minimize address visibility
- Always verify receive addresses on the device screen.
- Use a fresh receive address for each counterparty when possible.
- Avoid merging unrelated UTXOs in a single spend (coin control helps).
- Consider a passphrase (25th word) only after planning recovery and documentation. See passphrase-25th-word-guide.
- For long-term holdings consider multisig and geographic distribution—read cold-storage strategy.
| Feature |
Visible on device? |
Privacy risk |
| Receive address |
Yes (can verify) |
Low if not reused |
| Change address |
Sometimes (in history) |
Medium (links inputs/outputs) |
| xpub exposure (host/software) |
No (unless exported) |
High if shared |
| Passphrase accounts |
Depends |
Low if secret; high recovery risk |
Who this wallet is for - and who should look elsewhere
Who this hardware wallet suits: people who want a balance of security and convenience with a clear device screen for address verification, plus users who are comfortable using companion software for account management.
Who should look elsewhere: users who need fully air-gapped workflows with open-source firmware or users who prioritize privacy above usability and are willing to maintain complex procedures. If that’s you, check our advanced-air-gapped and seed-phrase-management guides for alternatives.
FAQ
Q: Can I recover my crypto if the device breaks?
A: Yes—if you have your seed phrase and any passphrase documented. See restore-recovery-phrase.
Q: Why does my wallet show a change address after spending?
A: Because the wallet returns leftover funds to a newly derived change address. That’s normal, but it links inputs and outputs if you don’t use coin control.
Q: Is Bluetooth safe for a hardware wallet?
A: Bluetooth has trade-offs. See bluetooth-usb-nfc-security for a full breakdown.
Q: What happens if the company goes bankrupt?
A: Your private keys are yours. See company-bankruptcy-what-happens for scenarios and recommended planning.
Conclusion & next steps
Address visibility and change addresses matter because they shape how your on-chain history appears to others. I’ve seen good habits prevent uncomfortable exposures. Small steps—verify addresses on-device, avoid reuse, and think about passphrase and multisig—go a long way.
If you want step-by-step checks, start with our setup-ledger-step-by-step and then read the passphrase-25th-word-guide. For deeper dives into multisig and air-gapped options see multisig-for-ledger and advanced-air-gapped.
Curious about transaction details or unsure if a transaction exposed links? Ask in the comments or check our faq and common-mistakes-phishing pages for troubleshooting tips.
