Clipboard-Hijacking Malware Disguised as Coinbase Software
Criminals distribute malware posing as a Coinbase desktop app or Coinbase Wallet extension update; once installed, it silently replaces copied crypto wallet addresses with the attacker's address at the moment of pasting.
Part of: Clipboard Hijacker Crypto Scams
Last reviewed: 8 June 2026
Clipboard-hijacker malware is one of the most financially damaging threats in the crypto space precisely because it operates invisibly. The victim copies a wallet address to send a legitimate transfer, but by the time they paste it into the destination field, the address has been silently swapped for one controlled by the attacker. The transaction looks normal until it confirms on-chain — at which point the funds are irretrievably gone.
Scammers distribute this malware by impersonating Coinbase. Fake 'Coinbase Desktop Pro' installers appear on lookalike download pages, and fraudulent browser-extension updates claiming to be Coinbase Wallet circulate through unofficial stores and phishing emails warning of an 'urgent security patch.' Victims who download and run the installer receive functional-looking software alongside the hidden clipboard monitor.
Coinbase does not distribute standalone desktop trading software outside of its mobile app and web browser extension, both available only through official channels. Any installer found on a third-party site is not from Coinbase.
How this scam works on the Coinbase brand
The malware delivery chain typically starts with a phishing email or a Google ad for 'Coinbase Pro download' that ranks above the genuine search results. The landing page mirrors coinbase.com precisely, offering a Windows or macOS installer. The installer may even display a valid-looking code-signing certificate purchased from a CA under a shell company name.
Once running, the clipboard hijacker monitors the system clipboard every few hundred milliseconds. When it detects a string matching the pattern of an Ethereum, Bitcoin, Solana, or other blockchain address, it replaces the clipboard contents with one of the attacker's pre-programmed addresses. The substitution is instant and invisible — there is no popup, no slowdown, and no obvious sign of infection.
Real Coinbase Wallet is a browser extension available only from the Chrome Web Store and Firefox Add-ons under the publisher 'Coinbase.' The Coinbase mobile app is available only from the Apple App Store and Google Play. Coinbase does not offer a standalone PC trading application that requires a separate download.
Common red flags
- Downloaded a 'Coinbase Pro' or 'Coinbase Desktop' installer from any site other than the official coinbase.com
- Browser extension for Coinbase Wallet was installed from a source other than the Chrome Web Store or Firefox Add-ons with publisher 'Coinbase'
- Pasted wallet address does not match what you copied after double-checking the clipboard
- Security software flags the installer or the extension as potentially unwanted software
- The installer file is significantly larger or smaller than the genuine Coinbase Wallet extension package
- Computer runs slower or shows unusual CPU activity after installing what appeared to be Coinbase software
How to protect yourself
- Download Coinbase Wallet exclusively from the Chrome Web Store (publisher: Coinbase), Firefox Add-ons, Apple App Store, or Google Play — never from a third-party site
- Always triple-check a pasted wallet address character by character, especially the first and last four characters, immediately before confirming a transaction
- Use a hardware wallet that displays the destination address on its own screen for final confirmation — clipboard hijackers cannot alter the address shown on the hardware device
- Run reputable antivirus software with real-time protection enabled; many leading products now detect clipboard-monitoring behavior
- If you suspect infection, perform a full malware scan, revoke any token approvals, and move assets to a wallet on a clean device
How to report it
- Report the malicious installer or extension URL to Coinbase at [email protected]
- Submit the file to VirusTotal (virustotal.com) and report it to your antivirus vendor
- File a complaint with IC3.gov (US) or Action Fraud (UK) at actionfraud.police.uk, providing the download URL and transaction hash
- Report fake browser extensions to the Chrome Web Store team via the extension's report-abuse link
Frequently asked questions
Does Coinbase offer a downloadable desktop trading application?
No. Coinbase's primary products are its web platform at coinbase.com, its mobile app available through official app stores, and the Coinbase Wallet browser extension. There is no official standalone Coinbase desktop installer. Any such download is fraudulent.
How do I check if my clipboard is being hijacked?
Copy a wallet address you control, then paste it into a plain text editor before using it in a transaction. Compare the pasted address character by character to what you copied. If they differ, your clipboard may be compromised.
Can I recover funds sent to the wrong address because of clipboard hijacking?
In almost all cases, no. Blockchain transactions to the wrong address are irreversible. If you notice the error before the transaction confirms, you cannot cancel it. Focus on securing your device and preventing further losses.