MetaMask Clipboard Hijacker Malware Scams
Clipboard-hijacking malware targets MetaMask users by silently replacing copied wallet addresses with attacker-controlled ones at the moment of pasting. Installing MetaMask from any source other than the official browser store is a primary infection vector.
Part of: Clipboard Hijacker Crypto Scams
Last reviewed: 7 June 2026
Clipboard hijacking is a form of malware that monitors the system clipboard for cryptocurrency address patterns. When it detects that a wallet address has been copied, it silently replaces it with one of the attacker's addresses. The victim pastes what they believe is the correct destination address into MetaMask, unaware that the address has been swapped.
The MetaMask brand is involved in clipboard hijacker scams in two ways: first, fake MetaMask extensions and downloads can carry clipboard hijacker payloads; second, clipboard hijackers target MetaMask specifically because it is the most common interface for sending crypto transactions on Ethereum and compatible chains.
Because blockchain transactions are irreversible, the moment a user confirms a send in MetaMask to a hijacked address, the funds are gone. The attack requires no social engineering at the moment of execution — it is entirely automated once the malware is installed. Prevention focuses on keeping devices clean and verifying addresses manually.
How this scam works on the MetaMask brand
A user searching for MetaMask support or troubleshooting articles clicks on a search result pointing to a fake MetaMask help site. The site offers a 'MetaMask fix tool' or 'MetaMask offline installer' download. Installing the file deploys clipboard hijacker malware alongside a benign-looking process.
Days or weeks later, when the user copies a wallet address to send ETH or tokens via MetaMask, the malware silently replaces the address in the clipboard. The user pastes, glances at the first and last few characters — which may appear similar to the intended address — and confirms the transaction. The funds go to the attacker.
A genuine MetaMask installation does not include any clipboard-monitoring functions. The MetaMask extension — from the official Chrome Web Store, published by MetaMask — contains no payload that interacts with the system clipboard in this manner. Any MetaMask download from a third-party source should be considered potentially compromised.
Common red flags
- A MetaMask download link from any source other than metamask.io or the official browser extension store
- Cryptocurrency transactions arriving at unexpected addresses that you could have sworn you copied correctly
- A 'MetaMask fix tool,' 'MetaMask installer,' or 'MetaMask patch' offered as a standalone download
- System processes with names similar to MetaMask running on your device that you did not install
- Address-format strings in your clipboard containing characters different from the address you copied
How to protect yourself
- Always verify the full wallet address before confirming a MetaMask transaction — check every character, not just the start and end
- Install MetaMask exclusively from the official Chrome, Firefox, or Brave extension stores via metamask.io
- Never download 'MetaMask fix' or supplementary MetaMask tools from third-party sites
- Run a reputable antivirus and anti-malware scan if you suspect clipboard hijacking
- For high-value transactions, use a hardware wallet that displays the address on the device screen for independent verification
- Use keyboard shortcuts that show clipboard content before pasting to visually confirm the address
How to report it
- Report the fake MetaMask download site to MetaMask at support.metamask.io
- Report to IC3.gov (US) or Action Fraud (UK)
- Report the fake site to Google Safe Browsing
- Report the malicious file to your antivirus vendor's threat intelligence portal
Frequently asked questions
How do I know if I have clipboard hijacking malware?
Copy a wallet address, then paste it into a text editor. If the pasted result does not match what you copied, clipboard hijacking malware is likely active. Run a full system scan with a reputable anti-malware tool.
Can the MetaMask extension itself get infected?
The legitimate MetaMask extension from the official store has a strong security record. Infection typically comes from fake extensions with similar names installed from third-party sources, or from system-level malware that operates independently of the extension.
Will MetaMask warn me if the pasted address differs from what I copied?
MetaMask does not have a clipboard comparison feature. The responsibility to verify addresses rests with the user. Always check the full address on the MetaMask confirmation screen before clicking Confirm.