What is Clipboard Hijacking?
Clipboard hijacking is a type of malware that monitors your computer’s clipboard for cryptocurrency addresses. When it detects an address being copied, it silently replaces it with the attacker’s address. If you paste and send funds without double-checking, your money goes to the scammer.
This attack exploits a common workflow: copy an address from an email or website, paste it into your wallet, and send. The malware intercepts the clipboard content in that brief moment between copy and paste.
How Clipboard Hijacking Works
- User installs malware (often bundled with “free” software or pirated content)
- The malware runs silently in the background, monitoring clipboard activity
- User copies a crypto address (e.g., from an email or exchange)
- The malware detects the address format (starts with 0x, bc1, etc.)
- It instantly replaces the copied address with the attacker’s address
- User pastes into their wallet and sends — funds go to the attacker
The replacement is instant and invisible. The addresses look similar enough that users don’t notice the swap.
How to Detect Clipboard Hijacking
The double-paste test: Copy an address, paste it into a text editor, then paste it again right after. If the two pastes show different addresses, you have clipboard malware.
Visual comparison: Always visually compare the pasted address with the source. Even one character difference means it’s been hijacked.
How to Prevent Clipboard Hijacking
- Always verify the full address — paste and visually compare every character before sending
- Use address books / whitelists — store known addresses in your wallet’s address book
- Use ENS / domain names — send to “alice.eth” instead of raw hex addresses
- Run anti-malware software — detect and remove clipboard hijackers
- Don’t install untrusted software — clipboard malware often comes bundled with pirated or “free” programs
- Use a hardware wallet — hardware wallets display the address on their screen, bypassing the clipboard entirely
Clipboard Hijacking vs. Address Poisoning
These are related but different attacks:
| Aspect | Clipboard Hijacking | Address Poisoning |
|---|---|---|
| Method | Malware replaces clipboard content | Fake transactions create look-alike addresses in history |
| Requires malware? | Yes | No (exploits user copying from transaction history) |
| Platform | Desktop wallets | Any wallet |
| Detection | Anti-malware scan | Check transaction history for suspicious addresses |
Frequently Asked Questions
Q: Can clipboard hijacking affect mobile wallets? A: Yes, but it’s less common. Android and iOS have stricter clipboard access controls than desktop. However, some malicious apps can still read clipboard data on mobile devices.
Q: How common is clipboard hijacking? A: It was more common in the 2017-2020 era. Modern operating systems (Windows 11, macOS) have improved clipboard monitoring detection. However, it remains a threat, especially for users who download software from untrusted sources.
Q: Will a hardware wallet protect me from clipboard hijacking? A: Yes. Hardware wallets display the transaction details (including the destination address) on their physical screen. Even if your clipboard is compromised, the hardware wallet shows the actual address being sent to, allowing you to catch the manipulation.