Clipboard Hijacking in Crypto: How Malware Swaps Your Wallet Address When You Paste
You copy a wallet address. You paste it into MetaMask. You check the first four characters and the last four โ they match. You send $2,000. Then you open Etherscan to check the transaction and the recipient address is completely different from the one you copied. Your clipboard was hijacked.
This is one of the few crypto attacks that doesn't require you to visit a phishing site, connect your wallet, or sign anything. The malware runs quietly in the background, and the attack completes the moment you paste. By the time you notice, the transaction is already confirmed.
How clipboard hijackers work
The malware runs as a background process and monitors your clipboard continuously. When it detects a string that matches the pattern of a crypto address โ a 42-character hex string starting with "0x," a 44-character base58 string for Solana, a Bitcoin bech32 address โ it replaces the clipboard contents with the attacker's address.
This happens in milliseconds. Between the moment you press Ctrl+C and the moment you press Ctrl+V, the replacement is complete. You never see the original address leave your clipboard.
Advanced versions go further: they search for vanity addresses that match the prefix and suffix of your original โ the same technique used in address poisoning attacks. When you check the first and last few characters, they match. The middle is completely different.
How people get infected
The most common infection vector is cracked software โ a free version of Photoshop, a game, a productivity tool, a Windows activation bypass. These files are exactly what they claim to be, plus additional payload. The software works. You don't notice anything wrong.
- โขCracked software downloads from torrent sites or file-sharing forums
- โขFake wallet installer files found through Google ads (searching "MetaMask download" and clicking an ad)
- โขBrowser extensions with excessive permissions that were updated after you installed them
- โขUnverified scripts from YouTube tutorials or GitHub repositories for crypto tools
- โขPirated games bundled with unrelated payloads
If you use the same computer for gaming or downloading unofficial software and for managing crypto, the risk is significantly higher.
Why the 4-character check fails against sophisticated hijackers
Checking the first 4 and last 4 characters of an address is standard practice. The problem is that generating vanity addresses โ custom addresses with specific prefixes or suffixes โ is computationally cheap. A simple script can produce thousands per second.
If a hijacker has your source address and matches 6 characters at the start and 6 at the end, the probability of you catching it on a spot check is very low. Most people aren't reading 42 characters closely while mid-transaction.
How to detect and remove it
Immediate test: Copy a known address from a trusted source โ your own wallet address, for example. Open Notepad or any plain text editor. Paste. Compare the full string character by character against the original. If it's different, you have a clipboard hijacker and should stop all crypto activity on that machine immediately.
On Windows: Run Malwarebytes (the free version is sufficient). It detects most clipboard trojans under categories like "Trojan.ClipBanker" or similar. Also check Task Manager > Details tab for unfamiliar processes with high CPU usage.
Browser extensions: Go to your browser's extension list and remove anything you didn't explicitly install, anything that was recently updated with new permissions, or anything claiming to be a wallet you don't use. See our guide on fake crypto wallet browser extensions.
Prevention habits that actually work
- โVerify the full address after pasting โ not just the ends โ before confirming any significant transaction
- โUse a hardware wallet: Ledger and Trezor show the destination address on the device screen for independent confirmation
- โKeep browser extensions to the minimum โ each extension has access to your clipboard and page content
- โNever download cracked software on a machine that handles crypto
- โUse separate devices: one for browsing and gaming, one dedicated to crypto
For more on protecting your seed phrase and wallet from compromise, read our seed phrase security guide.
Frequently asked questions
How do I know if I have clipboard hijacking malware?
Copy a known address, paste it immediately into a text editor, and compare it character by character. If it changed, run Malwarebytes on Windows. Stop all crypto activity on that machine until the scan is clean.
Which platforms are targeted?
Primarily Windows, where clipboard trojans are widely distributed via cracked software and fake installers. macOS versions exist but are less common. Any platform where you manually copy-paste addresses is at risk.
Can a hardware wallet protect against clipboard hijacking?
Partially. Hardware wallets display the destination address on their own screen โ independent of your computer. If the address on the device doesn't match your intended address, you catch the hijack before confirming.
A second check before every transaction confirms
GuardianAI displays the full recipient address before you confirm any transaction โ one more opportunity to catch a swapped address before funds leave your wallet. Free Chrome extension.
Get GuardianAI โ It's Free