Security & Privacy

Clipboard Hijacking

Malware that replaces a copied wallet address with the attacker's address, redirecting crypto payments.

Clipboard Hijacking — Clipboard hijacking is a malware attack that monitors a device's clipboard for cryptocurrency wallet addresses and silently replaces them with an attacker-controlled address. When the victim pastes what they believe is their own address, they unknowingly send funds to the attacker.

How It Works

Clipboard hijacking malware (also called a clipper or clipboard replacer) runs silently in the background on an infected device. It monitors the system clipboard using OS APIs and uses pattern matching — typically regex — to detect when a cryptocurrency address is copied. Crypto addresses have distinctive formats: Ethereum addresses start with 0x followed by 40 hex characters, Bitcoin addresses start with 1, 3, or bc1, and Solana addresses are 32-44 base58 characters.

When the malware detects a copied crypto address, it instantly replaces it with a pre-configured attacker address. The replacement happens in milliseconds, and the user sees no visual indication that the clipboard content has changed. When they paste the address into a send transaction, they unwittingly paste the attacker's address instead of the intended recipient.

Advanced clipper malware maintains a database of attacker addresses that visually resemble common address prefixes or suffixes, making the substitution harder to detect even if the user partially verifies the pasted address. Some variants specifically target exchanges and wallet applications, activating only when these programs are in the foreground.

Why It Matters

Clipboard hijacking is especially dangerous because it exploits a behavior that every crypto user performs regularly — copying and pasting addresses. The attack requires no interaction with smart contracts, no phishing site, and no social engineering. Once the malware is installed, every address the user copies is a potential theft opportunity.

Prevention includes always verifying the full pasted address against the original before confirming a send transaction, using hardware wallets that display the recipient address on a trusted screen, using address book features in wallets to avoid manual copying, and maintaining strong device security with updated antivirus software. QR code scanning instead of copy-paste also bypasses clipboard attacks.

Real-World Example

A user downloads a seemingly legitimate crypto trading tool from an unofficial source. The installer bundles clipboard hijacking malware. Later, the user copies their Binance deposit address to transfer ETH from MetaMask. The malware swaps the address in the clipboard. The user pastes the address, glances at the first few characters (which match), and confirms the transaction. The ETH is sent to the attacker's wallet instead of Binance. The loss is only discovered when the deposit never arrives.

Related Terms

Blockchain & Crypto Fundamentals

Private Key

A secret cryptographic string that grants full control over a wallet's funds; losing it means losing the wallet permanently.

Read definition Security & Privacy

Phishing (Crypto)

A social engineering attack where scammers impersonate legitimate projects or exchanges to steal wallet credentials or seed phrases.

Read definition Security & Privacy

Drainer (Crypto Scam)

A malicious smart contract or phishing tool designed to steal all tokens and NFTs from a wallet upon approval.

Read definition Security & Privacy

Hardware Wallet

A physical device (e.g., Ledger, Trezor) that stores private keys offline, protecting funds from online attacks.

Read definition Security & Privacy

Two-Factor Authentication (2FA)

A security mechanism requiring a second form of verification (e.g., authenticator app) in addition to a password for exchange accounts.

Read definition

Frequently Asked Questions

Common questions about Clipboard Hijacking in cryptocurrency and DeFi.

How can I check if my device has clipboard hijacking malware?

Copy a crypto address and paste it into a text editor — if the pasted address differs from the original, your clipboard is compromised. Run a full scan with reputable antivirus software. On Windows, check Task Manager for suspicious background processes. On mobile, review recently installed apps and permissions. If confirmed, do not send any transactions until the malware is removed.

Does clipboard hijacking affect mobile devices?

Yes, clipboard hijacking malware exists for both Android and iOS, though iOS infections are much rarer due to stricter app sandboxing. Android users should only install apps from the Google Play Store and review clipboard access permissions. Using a hardware wallet for transaction signing provides protection regardless of whether the phone is compromised.

Can a hardware wallet protect against clipboard hijacking?

Yes, hardware wallets are one of the best defenses. Devices like Ledger and Trezor display the recipient address on their trusted screen before signing. By verifying the address on the hardware wallet screen matches the intended recipient, you can catch clipboard substitutions. Always check the full address, not just the first and last few characters.

Ready to put your knowledge into practice?

Start Boosting