Clipboard Malware

How It Works

Clipboard malware runs silently in the background on your computer. It continuously monitors the system clipboard, watching for strings that match the format of Bitcoin addresses. When it detects one, it instantly replaces the clipboard contents with an attacker-controlled address. The swap happens in milliseconds — you copy a legitimate address, but when you paste, a different address appears. If you don't carefully verify, your bitcoin goes to the attacker.

More sophisticated variants maintain a pool of addresses that visually resemble common address patterns, matching the first and last few characters of the original address. Casual verification by checking "the first few characters" is not enough. These attacks are delivered through infected software downloads, browser extensions, pirated applications, and compromised websites.

The primary defense is your hardware wallet's display. When you construct a transaction using a PSBT workflow, the hardware wallet shows the destination address on its own trusted screen. Always verify the complete address on your hardware wallet display matches the intended recipient. Air-gapped workflows using QR codes or SD cards are even better, since the signing device is never connected to the potentially compromised computer. On a broader level, keep your transaction computer clean — use dedicated machines, avoid installing unnecessary software, and verify all downloads.

Key Points

• Clipboard malware silently replaces copied Bitcoin addresses with attacker-controlled addresses
• Always verify the full destination address on your hardware wallet's screen before signing
• Checking only the first and last few characters is insufficient — sophisticated malware matches these
• Air-gapped signing workflows protect against compromised computers
• Use dedicated, clean computers for Bitcoin transactions and avoid installing unnecessary software