Clipboard-Hijacking Malware Disguised as Trezor Suite Software
Fraudulent Trezor Suite installers contain hidden clipboard-monitoring malware that swaps destination wallet addresses at the moment of pasting, causing unknowing victims to send funds to attackers.
Part of: Clipboard Hijacker Crypto Scams
Last reviewed: 8 June 2026
Trezor Suite is the official desktop and web application for managing Trezor hardware wallets. Because new Trezor hardware owners must install Trezor Suite as their first step, fake download pages that distribute trojanized installers find a natural audience of users who are actively setting up their device for the first time and are already expecting to install software.
The trojanized installers function as genuine Trezor Suite copies — device detection, firmware updates, and portfolio display all work normally — while a background process continuously monitors the system clipboard. When the victim copies a cryptocurrency address to send a transfer, the clipboard content is silently replaced with the attacker's address before the user pastes it into Trezor Suite's send field.
The critical danger here is that even hardware wallet users who do check the on-screen Trezor device confirmation can be fooled: if they copied the wrong address from the clipboard-hijacked clipboard, that wrong address appears in Trezor Suite's send field, and the same address is confirmed on the device. The hardware device cannot know the address is wrong — it only knows the user confirmed it.
How this scam works on the Trezor brand
The fake installer is distributed through search-engine sponsored ads for 'Trezor Suite download' or 'Trezor Suite latest version,' through phishing emails warning of outdated firmware, or through fake tech-support accounts on Reddit or Discord. The download page replicates trezor.io's visual design exactly.
After installation, the malware component runs as a background process with an innocuous name. When the user initiates a send transaction in Trezor Suite — copying the recipient's address from an exchange deposit page or a contact — the clipboard hijacker intercepts the copy event and replaces the contents with an attacker address. The victim pastes, confirms on the Trezor device, and broadcasts the transaction.
The genuine Trezor Suite is available only at trezor.io/start and from the direct downloads page at trezor.io/trezor-suite. The installer's SHA-256 hash is published on that page and can be verified before installation. Verifying the hash and comparing it against the published value is the most reliable protection against tampered installers.
Common red flags
- Trezor Suite installer downloaded from any site other than trezor.io
- Search engine ad or email directed you to a 'Trezor Suite download' outside trezor.io
- Pasted wallet address does not match the address you just copied — characters are different, especially at beginning or end
- Antivirus software flags a background process or the installer file after installation
- System resource usage increases unexpectedly after installation of the Trezor Suite software
How to protect yourself
- Download Trezor Suite only from trezor.io and verify the downloaded file's SHA-256 hash against the published checksum
- Triple-check the destination address character by character immediately after pasting — especially the first four and last four characters
- Verify the full address on the Trezor device's physical screen against your intended destination before pressing the confirm button
- Run real-time antivirus protection to detect clipboard-monitoring background processes
- If you suspect your clipboard is being modified, use a clipboard manager that logs history to detect substitution events
How to report it
- Report the malicious download site to Trezor at [email protected]
- Upload the installer to VirusTotal and report the malware to your antivirus vendor
- File a report with IC3.gov (US) or Action Fraud (UK) and provide the download URL and transaction hashes
- Report the phishing domain to Google Safe Browsing and Netcraft's phishing database
Frequently asked questions
If I use a Trezor hardware wallet, does that protect me from clipboard hijacking?
Partially. The hardware wallet will only sign what you confirm on the device screen. If a clipboard hijacker has already replaced the address before you paste it — so both your computer and device show the wrong address — you may still confirm the fraudulent transaction. You must compare the pasted address to the original source before confirming.
How do I check the SHA-256 hash of a Trezor Suite download?
On Windows, open PowerShell and run: Get-FileHash path\to\installer.exe -Algorithm SHA256. On macOS or Linux: sha256sum path/to/installer. Compare the output to the hash published on trezor.io's download page. If they differ, do not run the file.