You could lose your entire wallet balance from a single copy-paste action. To learn how to identify, prevent, and handle this threat, continue reading this article to protect your assets right now.

What is a Clipboard Hijacker?

Clipboard Hijackers (aka address-swappers) are malware that watches your clipboard and replaces cryptocurrency addresses with those from an attacker’s wallet. This family of malware is common, affects all cryptocurrencies (Bitcoin, Ethereum, LTC, Monero, etc.) and is distributed via trojanized installers, fake apps/extensions, malicious ads and downloaders.

How does the Clipboard Hijacker work?

  1. Infection: Users accidentally install the malicious software (often through fake applications or extensions, generally crypto related).
  2. Monitoring: The malware runs silently in the background and monitors the clipboard (the temporary storage for copied content).
  3. Address Swap: When the user copies a cryptocurrency address, the malware immediately replaces that address with the attacker’s address.
  4. Loss of funds: The victim pastes and sends the money without realizing the change. Since crypto transactions are irreversible, the funds are permanently lost.

Essential and best security measures

  • Manually verify the address: After you paste the wallet address into the send box, take a moment to check the first and last 5 to 6 characters of that address to the source. If there is any difference, DO NOT SEND THE MONEY.
  • Use a hardware wallet: When using a hardware wallet, its screen will show you the destination address as you verify the transaction. Verify this against the source for your address. 
  • Prefer QR codes: When possible, scan a QR code to pay instead of copying and pasting the address, as the malware cannot affect QR codes.

Protect your computer and software

  • Only download software from official sources: Never install apps or browser extensions from unknown places, cracked software, or files downloaded from suspicious torrents.
  • Keep updated and use antivirus: Keep your Operating System up-to-date and use good anti-malware software (like Malwarebytes) with real-time protection.
  • Clean up browser extensions: Regularly check your browser extensions and immediately remove anything you don’t use or that looks suspicious.

Immediate steps if you notice an Clipboard Hijacker

  1. STOP the transfer, don’t confirm/send.
  2. Do not reuse that machine for sensitive wallet operations until cleaned.
  3. Check the system for malware: run a full AV/antimalware scan (Windows Defender/Malwarebytes/other reputable scanners) and an offline/boot-time scan if possible.
  4. Inspect running processes/startup items (Task Manager, Sysinternals Autoruns/Process Explorer). Remove unknown items.

If you were scammed (funds sent): 

  • Trace the transaction(s) and collect evidence (txid).
  • Use a blockchain explorer and take screenshots.
  • File reports with local police and a cybercrime complaint (include evidence).
  • Consider contacting a blockchain forensic service (Chainalysis, TRM, etc.). They can sometimes track flows and advise on reporting

Detection & removal tips (Windows-focused)

  • Run full scans with Windows Defender and Malwarebytes (or other reputable scanners).
  • Use Autoruns (Sysinternals) to inspect startup entries and scheduled tasks; remove unknown entries.
  • Inspect PowerShell history and temp folders for malicious installers (.ps1, .exe in AppData). Proofpoint / security reports show many clippers use PowerShell droppers.
  • If infection persists or is sophisticated, back up essential data (but be careful not to back up malware), wipe the machine and reinstall OS from a clean media, then restore data from known-good backups.

Why is the Clipboard Hijacker still a big problem?

Clipboard Hijacker/clipper-like malware continues to evolve and hide inside fake installers, malicious ads, browser extensions, and loaders.

Recent campaigns (such as JSCEAL, GreedyBear, Tor-installer trojans) show that attackers are diversifying their delivery methods and using obfuscation techniques to evade antivirus (AV) software. Maintain vigilance.

From 2023-2025, numerous security companies and exchanges (e.g., Binance) have continuously warned about campaigns using clipper/clipboard hijackers, accompanied by new attack forms such as “fake CAPTCHA” scams that trick users into copy-pasting malware. 

Hackers are becoming increasingly sophisticated in distribution (trojanized installers, loaders like SmokeLoader distributing clippers) and changing their IoCs (Indicators of Compromise) to evade traditional antivirus software. This makes clippers a real risk for individual users and businesses alike.

Conclusion

Clipboard Hijackers are a threat that is simple in concept but extremely effective, and recovery is nearly impossible once a loss has occurred. 

The best defense is prevention: use a hardware wallet, confirm the address on the device, limit copy-paste actions, and keep your system clean. Always treat the clipboard as a vulnerability and proceed with caution when transferring funds. 

Stay vigilant, verify everything, treat every transaction as a potential attack surface, and invest in hardening your own cyber defenses.

Based in Vietnam and looking to acquire a hardware wallet?

Our colleagues at BitcoinVN Shop – a subsidiary of Vietnam’s premier Bitcoin exchange BitcoinVN – have you covered with the latest models from trusted manufacturers such as Trezor, Ledger, and others. Team BitcoinVN Shop has been serving the Vietnamese market as an authorized reseller since 2017.

From our experience over the past decade, likely more than 90% of retail user fund-loss cases could have been prevented simply by using a hardware wallet – a basic security tool that keeps your private keys off your main working devices (meaning no transaction-signing capability on an infected computer).

If you hold anything worth at least four-digit USD value in crypto, do not cut corners or “save on the wrong end.”

Entry-level models such as the Trezor One or Ledger Nano S Plus start at just over $100 – a smart cost-benefit decision that protects you from catastrophic loss if your computer is compromised.

Most modern hardware wallets support clear-signing, allowing you to verify directly on the device’s secure screen whether the transaction you’re about to sign truly matches what appears on your computer – a crucial safeguard against malware, clipboard hijacking, and remote-access attacks.

Looking for more hands-on guidance for your security set-up?

Our team at BitcoinVN Consulting provides tailored, one-on-one guidance to help you build a secure and resilient self-custody setup. 

From wallet configuration to threat assessment and recovery strategy, we support you with practical, real-world expertise gained from handling dozens of user cases across Vietnam and abroad.

Our leading experts have more than a decade of real-world experience in the field and continuously track global cyber-threat developments as well as emerging best practices in the self-custody space.

If this sounds like something you could benefit from, you can reach out to BitcoinVN Consulting today.

Maximum security custody for your Bitcoin?

Multivendor Multisig remains the top tier of self-custody – eliminating single points of failure and representing the cutting-edge standard for serious Bitcoin holders. 

While using a hardware wallet is essential for any non-negligible amount, once we talk about “life-savings level” funds, your security setup should scale in sophistication accordingly.

Our team has access to the tools and expertise to guide you through the process of upgrading your self-custody to a full MVMS setup, and can even work alongside you as a steady and experienced partner in a collaborative-custody arrangement.

Operating a Bitcoin business and looking to protect your user base from address-phishing attacks?

Our partners at Branta are building advanced address-verification and transaction-risk tooling tailored for Bitcoin service providers. 

Their system helps you catch manipulated or suspicious destination addresses before funds leave the user’s wallet – reducing support load, preventing avoidable losses, and shielding customers from common clipboard-swap and phishing attacks.

You can learn more about Branta in our recent announcement detailing why we chose to support their mission to build a more secure ecosystem for Bitcoin users and service providers.

RELATED ARTICLESMORE FROM AUTHOR