Ledger & Trezor AML Scan on Windows (Read-Only)

Hardware wallets are the gold standard for self-custody, but they do not come with built-in crypto AML screening. Before you consolidate UTXOs, send a large payment, or deposit to a CEX, you need visibility into every derived address — not just the one you remember using. This guide explains how to connect Ledger or Trezor to a Windows desktop app in read-only wallet mode, run OFAC sanctions and mixer exposure checks across your portfolio, and do it without ever typing your seed phrase into software.

Why paste-only screening is not enough for cold storage

Most free AML tools accept a single pasted address. That works for a one-off bitcoin address check, but hardware wallets derive dozens or hundreds of addresses across account indices, change chains, and multiple coin types. Funds you received two years ago may sit on address #47 while you only monitor address #1 in your portfolio tracker.

When you later sweep those dormant UTXOs to an exchange, compliance systems trace the full graph. Hidden tainted inputs cause CEX deposit freezes even if your "main" receiving address looked clean. A portfolio-level scan closes that blind spot.

What "read-only" means in practice

A legitimate read-only wallet connection derives public keys and addresses from your hardware device via USB — or imports an xpub/zpub you export from Ledger Live or Trezor Suite — without signing capability. The AML application can:

• Enumerate all derived receive and change addresses for Bitcoin, Ethereum, and supported assets.
• Query on-chain history and risk labels for each address.
• Aggregate hop analysis and mixer exposure scores across the portfolio.

It cannot:

• Spend your funds or sign transactions (unless you explicitly approve on the device in a separate signing workflow).
• Access your seed phrase — the device never exports it during a standard read-only derivation.

Never enter your 24-word recovery phrase into any AML tool, browser extension, or "portfolio scanner." Scammers routinely impersonate screening services to drain wallets. USB read-only derivation or xpub import is the safe pattern.

Step-by-step: Ledger AML scan on Windows

1. Install AegisAML — Download from the official site. See our free AML screening for Windows guide for setup details.
2. Connect Ledger via USB — Unlock the device with your PIN. Open the Bitcoin or Ethereum app on the device as prompted.
3. Select read-only portfolio scan — Choose your coin type (BTC native segwit, ETH, etc.) and account index.
4. Wait for address enumeration — The app derives addresses and fetches on-chain history. Large wallets with years of activity take longer.
5. Review the risk report — Check OFAC sanctions hits, mixer exposure flags, and hop distance summaries per address cluster.
6. Prioritize remediation — Isolate tainted UTXOs, document clean sources, or consult compliance guidance before CEX deposits.

Ledger Nano S Plus, Nano X, and Stax follow the same workflow. Bluetooth on Nano X works for signing in Ledger Live but USB is preferred for desktop AML scans due to stability.

Step-by-step: Trezor AML scan on Windows

1. Connect Trezor Model One or Model T via USB — Enter your device PIN on the Trezor screen.
2. Authorize public key export — The device prompts you to confirm sharing the extended public key. This is standard for watch-only wallets.
3. Run the portfolio scan — AegisAML maps derived addresses and queries crypto AML risk databases.
4. Compare across seed types — If you use multiple passphrase wallets ("hidden wallets"), scan each passphrase variant separately.
5. Export results — Save reports before depositing to a CEX.

Trezor Suite users can alternatively export an account-level xpub and import it into the AML tool if USB session routing conflicts with Trezor Suite running in the background. Close Suite before scanning to avoid USB lock contention on Windows.

What the scan detects across your portfolio

A full hardware wallet audit covers the same risk categories as single-address screening, applied at scale:

• OFAC sanctions — SDN-listed wallets in your inbound transaction history.
• Mixer exposure — Bitcoin CoinJoin adjacency and Ethereum Tornado Cash proximity.
• Hop analysis — Short-hop paths to hack, scam, and dark-market clusters.
• Dormant high-risk UTXOs — Old inputs you forgot about that will merge when you spend.
• Ethereum token paths — ERC-20 USDT and altcoin transfers with tainted counterparties. See Ethereum address AML risk check for EVM specifics.

The aggregated view shows which account indices need attention before you consolidate or move large balances.

Security checklist before connecting your device

• Verify the AML software installer hash or signature from the publisher.
• Confirm the app asks for xpub/address derivation — not your seed phrase.
• Use a dedicated USB cable; avoid public charging stations for hardware wallet connections.
• Keep Ledger Live and Trezor firmware updated to patch known vulnerabilities.
• Run Windows Update and maintain Defender or your preferred antivirus.
• Disconnect the device after the scan; do not leave it plugged in unattended.

When to rescan your hardware wallet

Rescan after every significant inbound payment, after interacting with a new DeFi protocol, and at least quarterly if you hold long-term. OFAC sanctions lists and mixer cluster databases change continuously. An address that was low-risk in January may show new hop linkages by June.

If you plan a large CEX withdrawal or deposit, run a fresh scan within 48 hours of the transfer. Exchanges update their risk models frequently; your last month's clean report may not reflect newly attributed hack funds in your transaction graph.