Clipboard Hijacking
Malware that monitors the clipboard and replaces copied Bitcoin addresses with attacker-controlled addresses to redirect payments.
Key Takeaways
- Clipboard hijacking (also called clipper malware) silently replaces cryptocurrency addresses you copy with an attacker's address, redirecting funds when you paste and send a transaction.
- The attack exploits a fundamental habit: copy-pasting long addresses that are impractical to memorize. Using a signing device with an independent display is one of the strongest defenses.
- Prevention requires verifying the full destination address before every transaction, not just the first and last few characters. QR codes and self-custody wallets with address book features reduce reliance on the clipboard entirely.
What Is Clipboard Hijacking?
Clipboard hijacking is a type of malware attack where malicious software monitors your device's clipboard for cryptocurrency wallet addresses and silently swaps them with addresses controlled by the attacker. When you copy a Bitcoin address to send a payment and paste it into your wallet, the address in the clipboard is no longer the one you copied. If you send without verifying, the funds go to the attacker.
The attack is effective because cryptocurrency addresses are long strings of seemingly random characters. Bitcoin addresses range from 26 to 62 characters depending on the address type (Legacy, SegWit, or Taproot), making them impossible to memorize and impractical to type manually. Nearly everyone relies on copy-paste, which is exactly what clipper malware exploits.
First documented in 2017 with the CryptoShuffler trojan discovered by Kaspersky Lab, clipper malware has since grown into a persistent threat across all major operating systems: Windows, Android, macOS, and as of 2026, Linux. Some variants are sold as malware-as-a-service, with subscriptions available for as little as $549 per year, lowering the barrier for attackers.
How It Works
Clipboard hijacking operates in three stages: installation, monitoring, and replacement. Each stage is designed to be invisible to the user.
Stage 1: Installation
Clipper malware typically arrives through trojanized software: pirated applications, fake browser extensions, fraudulent app store listings, or bundled with other malware. The MassJacker campaign discovered in 2025 specifically targeted users downloading pirated software. The GitVenom campaign, uncovered by Kaspersky in 2025, hid clipper malware in hundreds of fake GitHub repositories with AI-generated README files designed to appear legitimate.
Once installed, the malware establishes persistence through autorun entries or injected libraries that load on system startup. It runs silently in the background, consuming minimal resources to avoid detection.
Stage 2: Clipboard Monitoring
The malware registers as a clipboard listener using operating system APIs. On Windows, it uses AddClipboardFormatListener() to receive notifications whenever clipboard content changes. On Android, it hooks into the ClipboardManager API. On Linux, the ClipXDaemon variant (discovered in 2026) targets X11 clipboard events.
Every time you copy text, the malware inspects it within milliseconds.
Stage 3: Pattern Matching and Replacement
The malware uses regular expressions to identify cryptocurrency addresses by their distinctive formats:
# Simplified regex patterns used by clipper malware
# Bitcoin Legacy (P2PKH): starts with 1, 26-35 chars
^1[a-km-zA-HJ-NP-Z1-9]{25,34}$
# Bitcoin Legacy (P2SH): starts with 3
^3[a-km-zA-HJ-NP-Z1-9]{25,34}$
# Bitcoin SegWit (Bech32): starts with bc1q
^bc1q[a-z0-9]{38,58}$
# Bitcoin Taproot (Bech32m): starts with bc1p
^bc1p[a-z0-9]{38,58}$
# Ethereum: starts with 0x, 42 hex chars
^0x[0-9a-fA-F]{40}$Upon detecting a match, the malware clears the clipboard and writes the attacker's pre-configured address in its place. The entire swap takes milliseconds. More advanced variants like the Laplas Clipper (2022) generate replacement addresses that visually resemble the original, sharing the same prefix or suffix characters to reduce the chance of detection during a quick visual check.
Real-World Incidents
Clipboard hijacking is not theoretical. Multiple large-scale campaigns have been documented by security researchers:
| Campaign | Year | Impact |
|---|---|---|
| CryptoShuffler | 2017 | Stole 23 BTC (~$140,000); discovered by Kaspersky |
| Phorpiex/Twizt | 2020-2021 | 969 hijacked transactions; ~$500,000 stolen across BTC, ETH, and ERC-20 tokens |
| First Android clipper | 2019 | Found on Google Play impersonating MetaMask; discovered by ESET |
| GitVenom | 2025 | 5 BTC (~$485,000) via fake GitHub repositories; discovered by Kaspersky |
| MassJacker | 2025 | Used 778,531 unique attacker addresses; discovered by CyberArk |
In September 2024, Binance issued a public advisory about a widespread clipper malware campaign, noting a "notable spike" in activity that caused "significant financial losses" among users, particularly those using unofficial Android apps.
Why Address Verification Matters
Bitcoin transactions are irreversible. Once a transaction is broadcast and confirmed on the blockchain, there is no chargeback mechanism and no way to recover funds sent to the wrong address. This makes clipboard hijacking especially dangerous compared to similar attacks in traditional finance, where chargebacks or bank reversals may be possible.
The attack also highlights why self-custody requires active vigilance. Owning your own keys means taking full responsibility for verifying every transaction. Unlike custodial services that might flag suspicious addresses, a self-custody wallet will send wherever you tell it to send.
For deeper context on how different wallet architectures handle security, see the research article on self-custodial vs. custodial wallets.
Mitigations
No single defense eliminates the risk entirely, but combining multiple strategies makes clipboard hijacking significantly harder to exploit.
Verify the Full Address
Always compare the pasted address against the original before confirming any transaction. Check more than just the first and last few characters: advanced clipper malware like Laplas generates addresses with matching prefixes and suffixes. Verify a substantial portion of the middle characters as well. An academic paper published at IEEE demonstrated that attackers can pre-mine databases of lookalike addresses, achieving partial visual matches that deceive quick checks.
Use a Signing Device
A signing device (hardware wallet) displays the destination address on its own built-in screen, providing an out-of-band verification channel that malware on your computer cannot tamper with. Before signing, compare the address shown on the device screen against the intended recipient. This is one of the most effective defenses because the verification happens on isolated hardware.
For maximum security, some users pair signing devices with air-gapped signing workflows, where the signing device never connects to an internet-enabled computer at all.
Use QR Codes
Scanning a QR code of the recipient's address bypasses the clipboard entirely, eliminating the attack surface for clipper malware. Many wallets support QR code payments for exactly this reason. When possible, have the recipient display their address as a QR code rather than sending it as copyable text.
Send a Test Transaction
Before sending a large amount, send a small test transaction and verify receipt with the intended recipient. The additional transaction fee is a small price for confirming the address is correct. This is especially important for first-time recipients or addresses you haven't used before.
Use Address Books
Most wallets and exchanges offer address book or allowlist features where you can save verified addresses. Once an address is saved, future transactions use the stored version rather than relying on copy-paste. This reduces exposure to clipboard manipulation for repeated payments.
Practice Software Hygiene
Avoid pirated software, unofficial app stores, and unverified browser extensions. Keep your operating system and antivirus software updated. The majority of clipper malware infections originate from downloading software from untrusted sources.
Broader Security Context
Clipboard hijacking is one of several attack vectors that target cryptocurrency users. Phishing attacks trick users into revealing private keys or sending funds to fake websites. Dust attacks attempt to de-anonymize wallet owners through chain analysis. BGP hijacking can redirect network traffic to intercept transactions at the protocol level.
What makes clipboard hijacking particularly insidious is its simplicity. It requires no sophisticated cryptographic attack, no network-level interception, and no social engineering at the moment of the transaction. It exploits a mundane action: pasting text. The best defense is building the habit of always verifying the full destination address before every transaction, regardless of the amount.
Layer 2 solutions and payment protocols that reduce the need for raw address handling can also help. Lightning invoices encode payment details in a structured format that is less susceptible to simple address substitution. Spark, as a Bitcoin Layer 2, enables payments that don't require users to manually copy and paste long on-chain addresses for every transaction.
Risks and Considerations
- Clipboard hijacking affects all major operating systems: Windows, Android, macOS, and Linux as of 2026. No platform is immune.
- Advanced variants generate lookalike addresses that match the prefix and suffix of the original address, defeating quick visual checks.
- The malware-as-a-service model means clipper tools are accessible to low-skill attackers, increasing the volume of campaigns.
- Because Bitcoin transactions are irreversible, there is no recovery mechanism once funds are sent to an attacker's address.
- Even experienced users can fall victim if they become complacent about address verification, particularly for routine transactions.
This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.