Clipboard Hijacker
What is Clipboard Hijacker?
Clipboard HijackerA clipboard hijacker (crypto clipper) is malware that watches the OS clipboard and silently substitutes a victim's copied cryptocurrency address with one controlled by the attacker.
A clipboard hijacker, often called a crypto clipper, is a small piece of malware — frequently delivered as a trojanized installer, browser extension, or info-stealer module — that monitors clipboard content for patterns matching wallet addresses (BTC, ETH, TRON, SOL, etc.). When it sees one, it replaces the address in the clipboard with one the attacker controls; the user pastes the swap into their wallet and authorizes a transfer to the wrong destination. Families like ClipBanker and clipper plugins in Lumma or RedLine have stolen significant funds. Defences include up-to-date EDR, verifying addresses on the device screen before signing, using ENS or address books, and treating any 'paid copy of cracked software' as hostile.
● Examples
- 01
A user pastes a Bitcoin address into their wallet; malware swaps the first/last similar chars and 0.5 BTC goes to the attacker.
- 02
A trojanized 'wallet desktop app' from a fake site installs a clipper that swaps ETH addresses.
● Frequently asked questions
What is Clipboard Hijacker?
A clipboard hijacker (crypto clipper) is malware that watches the OS clipboard and silently substitutes a victim's copied cryptocurrency address with one controlled by the attacker. It belongs to the Web3 & Blockchain category of cybersecurity.
What does Clipboard Hijacker mean?
A clipboard hijacker (crypto clipper) is malware that watches the OS clipboard and silently substitutes a victim's copied cryptocurrency address with one controlled by the attacker.
How does Clipboard Hijacker work?
A clipboard hijacker, often called a crypto clipper, is a small piece of malware — frequently delivered as a trojanized installer, browser extension, or info-stealer module — that monitors clipboard content for patterns matching wallet addresses (BTC, ETH, TRON, SOL, etc.). When it sees one, it replaces the address in the clipboard with one the attacker controls; the user pastes the swap into their wallet and authorizes a transfer to the wrong destination. Families like ClipBanker and clipper plugins in Lumma or RedLine have stolen significant funds. Defences include up-to-date EDR, verifying addresses on the device screen before signing, using ENS or address books, and treating any 'paid copy of cracked software' as hostile.
How do you defend against Clipboard Hijacker?
Defences for Clipboard Hijacker typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Clipboard Hijacker?
Common alternative names include: Crypto clipper, Clipper malware, ClipBanker.
● Related terms
- web3№ 016
Address Poisoning
Address poisoning seeds a victim's transaction history with attacker-controlled lookalike addresses so they later copy-paste the wrong one and send funds to the attacker.
- web3№ 816
Permit2 Phishing
Permit2 phishing tricks an Ethereum user into signing a Uniswap Permit2 off-chain message that grants an attacker the right to transfer the victim's ERC-20 tokens.
- malware№ 531
Info Stealer
Malware that harvests credentials, cookies, tokens, crypto wallets, and other sensitive data from an infected device and exfiltrates it to the attacker.
- malware№ 1176
Trojan Horse
Malware that disguises itself as a legitimate program to trick users into running it, delivering a hidden malicious payload.
- malware№ 649
Malware
Any software intentionally designed to disrupt, damage, or gain unauthorized access to computers, networks, or data.
● See also
- № 365Dust Attack