Clipboard Hijacker
Malware that monitors the system clipboard and silently replaces any copied cryptocurrency address with the attacker's address at the moment of pasting.
Also known as: clipper malware, address substitution malware, crypto clipboard malware
Last reviewed: 10 June 2026
Clipboard hijacker malware runs silently in the background, watching for patterns that look like cryptocurrency addresses. When one is detected in the clipboard (typically placed there by a copy action), it is instantly replaced with an attacker-controlled address. The victim, not checking after pasting, sends the transaction to the wrong destination.
This attack is particularly effective because users who are security-conscious enough to double-check addresses may verify at the time of copying, but the replacement happens at paste time, after that verification. Without re-checking, the discrepancy goes unnoticed.
The defence is always to verify the pasted address against the original source after pasting, not just at the time of copying. The first four and last six characters are the minimum to check; high-value transactions warrant verifying the full address. Keeping systems free of pirated software (a common malware delivery vector) and using reputable security software reduces infection risk.