Clipboard Hijacker Crypto Scams
Malware that silently replaces a cryptocurrency address you have copied with the attacker's address, redirecting your transfer.
Last reviewed: 1 June 2026
What this scam is
A clipboard hijacker — sometimes called a clipboard stealer or crypto clipper — is a type of malware that monitors your computer's clipboard for cryptocurrency wallet addresses and silently replaces any copied address with an address controlled by the attacker. When you then paste the address into a transaction and send it, the funds go to the attacker rather than the intended recipient.
This attack is particularly insidious because it operates entirely invisibly. You copy an address you intend to use. The malware detects that a wallet address format has been copied and immediately substitutes the attacker's address. When you paste, the text in the paste field appears to be a normal wallet address — and it is a valid address, just not yours or your intended recipient's. Unless you carefully compare the pasted address character-by-character with the original, you will not notice the substitution.
Clipboard hijackers are technically straightforward to write and have been circulating in malware ecosystems since at least the mid-2010s. They are often bundled with other malware distributed through software piracy sites, fake cryptocurrency tools, malicious browser extensions, and trojanised downloads from unofficial sources.
Because cryptocurrency transactions are irreversible, the damage occurs the moment a transaction is confirmed. There is no mechanism to reverse a transfer to the wrong address, even if the error is identified immediately after confirmation.
The attack is not theoretical — it has caused significant and well-documented losses, and clipboard monitoring functionality is a common feature of broader crypto-stealing malware packages alongside password harvesting and wallet file extraction.
How it works
The malware is installed on the victim's device through a compromised download — typically software presented as a legitimate tool, game, utility, or media file. Common vectors include pirated software and games, fake cryptocurrency wallet installers, malicious browser extensions, trojanised versions of legitimate open-source tools, and phishing email attachments.
Once installed, the malware runs quietly in the background as a small process. It continuously monitors the system clipboard. When it detects that the clipboard content matches the pattern of a cryptocurrency wallet address — Bitcoin, Ethereum, and other networks each have recognisable address formats — it replaces the clipboard content with an attacker-controlled address of the same format.
The substitution is instantaneous. The user copies an address, the malware replaces it within milliseconds, and the user pastes what they believe is the original address. Because wallet addresses are long strings of random-looking characters, even attentive users rarely check the full string after pasting.
The attacker's address may share the first few characters with the original (some advanced variants use address-generation techniques to create partial matches), making partial checking insufficient.
The malware may be persistent — reinstalling itself or operating across reboots — and may also be part of a broader infostealer package that exfiltrates saved passwords and wallet files simultaneously.
Why this scam works
The attack exploits a universal behaviour: people copy wallet addresses because they are too long to type accurately. The copy-paste workflow is the expected and rational approach to handling wallet addresses. Malware that intercepts exactly this workflow targets the most common interaction in crypto transactions.
Wallet addresses have no meaningful visual differentiation — they look like random strings of similar characters. Most users do not — and practically cannot — verify a pasted address against an original character-by-character in every transaction. The cognitive effort required for perfect verification is simply too high for routine use.
By the time the error is discovered, the transaction has typically confirmed and is irreversible.
A typical pattern
A person is transferring cryptocurrency to a friend's wallet. They copy the address the friend sent them via a messaging app. They paste it into their wallet's send field without looking carefully — the pasted address appears to be a wallet address and they proceed. The transaction confirms. The friend reports never receiving the funds. The sender checks the transaction on a block explorer and notices the destination address is different from the one they were sent. Investigation reveals a clipboard hijacking application installed alongside pirated software several weeks earlier.
Common red flags
- Pasted wallet address differs from the address you copied
- Recently installed software or browser extension from an unofficial source
- Antivirus software flagging processes associated with a recent download
- Unknown background processes consuming resources
- Wallet address in clipboard changes after copying, even without pasting
- Transaction confirmation shows a destination address you do not recognise
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Send to my wallet: [wallet address] — let me know when it's done.
Deposit your [token] to this address to start earning: [wallet address]
Refund being processed to the address on file: [wallet address]. Confirm receipt.
Your withdrawal will be sent to [wallet address]. Approve to continue.
Transfer [amount] [token] to [wallet address] to complete your order.
Your wallet address for the swap: [wallet address]. Copy and paste into your send field.
Common variations
- Basic clipboard replacement — replaces any detected wallet address format with attacker's address
- Partial-match variant — attacker generates an address sharing the first few characters with the target
- Multi-currency hijacker — monitors for address formats across multiple blockchain networks
- Infostealer bundle — clipboard hijacking combined with password harvesting and wallet file theft
- Browser extension clipper — malicious extension intercepts clipboard at the browser level
- Mobile clipper — clipboard hijacking functionality in malicious Android or iOS apps
How to verify before you act
After pasting any wallet address, verify it against the original by comparing at minimum the first six and last six characters. For high-value transactions, verify the full address or use a secondary device to cross-check.
Most modern wallets display the address in a format that allows partial visible verification — use this feature deliberately for every transaction.
Run reputable, up-to-date antivirus software and avoid downloading software from unofficial sources. Clipboard hijackers are typically detected by reputable security tools if definitions are current.
Consider using a QR code rather than copy-paste for address entry where available — this bypasses the clipboard entirely.
For large transactions, send a small test amount first and confirm receipt before sending the full amount.
Payment methods used
- Any cryptocurrency transaction using copy-pasted wallet addresses
- Bitcoin, Ethereum, and major altcoin transfers
- Stablecoin transfers
Who is usually targeted
- Anyone who uses copy-paste to enter wallet addresses
- Regular crypto senders and traders
- People who download software from unofficial or piracy sources
- Users with low-security or unprotected devices
What to do immediately
- If a transaction has been sent to the wrong address, document the transaction hash immediately — the transfer is likely irreversible but you need the record for reporting
- Run a full antivirus scan with up-to-date definitions on any device used for crypto transactions
- Remove any recently installed software or browser extensions from unofficial sources
- Change passwords for any accounts accessed from the affected device, as clipboard hijackers are often part of broader infostealer packages
- Move funds from any wallets that may have been accessible from the infected device to new addresses, using a clean device
- Report to your national fraud authority with transaction evidence
How to prevent it
- Always verify pasted wallet addresses against the original — check at minimum the first and last six characters
- For high-value transactions, verify the full address character-by-character using a secondary device
- Send a small test amount first and confirm receipt before sending large transfers
- Use QR codes for address entry where available to bypass the clipboard
- Only download software from official sources — avoid piracy sites and unofficial repositories
- Keep antivirus software active and up to date on any device used for crypto
- Be cautious installing browser extensions — review permissions carefully
- Use a dedicated, clean device for high-value crypto transactions if possible
Evidence to preserve
- Transaction hash showing the funds sent to the wrong address
- The intended recipient address and the address the funds actually went to
- Antivirus scan logs identifying the malware
- Details of recently installed software or extensions that may have introduced the malware
- Device logs if accessible
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can clipboard hijacking happen on a Mac or phone, or only Windows?
Clipboard hijacking malware exists across platforms, including macOS and Android. iOS has more sandboxing restrictions that make clipboard monitoring harder, though not impossible. No platform is immune, though the majority of known samples target Windows.
Can I recover funds sent to the wrong address due to clipboard hijacking?
Almost certainly not. Blockchain transactions are irreversible. Once a transaction is confirmed, neither you, your exchange, nor any authority can reverse it. Prevention — verifying pasted addresses — is the only reliable protection.
How do I check if I have a clipboard hijacker on my device?
Run a full scan with a reputable, up-to-date antivirus or anti-malware tool. You can also test manually: copy a wallet address, then immediately check the clipboard by pasting it into a text editor. If the text has changed, you likely have a clipboard monitor active.
Does a VPN protect against clipboard hijacking?
No. A VPN encrypts your network traffic but has no effect on software running locally on your device. Clipboard hijacking is a local malware function — network security tools do not prevent it.
I always use the same address — can I just assume the clipboard is fine?
No. The malware replaces what is in the clipboard at the moment of pasting, regardless of how familiar the address looks to you. The attacker's address is a valid-format string — it will not look obviously wrong. Verification is necessary every time.
Is it safe to use copy-paste for small amounts?
The risk applies to any amount. Clipboard hijackers typically replace all detected wallet addresses regardless of value. For any real transfer, verify the pasted address. For tiny amounts — learning transactions, dust tests — the financial risk is low, but the habit of verifying protects you when amounts are larger.
Should I use a hardware wallet to protect against clipboard hijackers?
A hardware wallet confirms the destination address on the device screen before signing. This gives you an independent verification step that can catch a clipboard substitution — you compare the hardware wallet screen display with your intended address. This is a meaningful protection layer.
What should I do immediately if I sent funds to the wrong address?
Document the transaction hash immediately. Run antivirus on your device. Move funds from any other wallets accessible from that device to new addresses on a clean device. Report to your national fraud authority. Do not pay any recovery service — on-chain transactions are irreversible.