What is clipboard hijacking in crypto?

Clipboard hijacking is a malware technique where software running on your computer monitors your clipboard and silently replaces any cryptocurrency address you copy with an address controlled by an attacker. When you paste, you paste the attacker's address instead of the intended one.

How do clipboard hijackers get on your computer?

Clipboard hijackers are typically delivered via malicious browser extensions, pirated software, fake wallet apps, trojanized crypto tools, or malware-laced downloads. They often disguise themselves as legitimate utilities.

Can you detect clipboard hijacking visually?

No. The replacement happens silently between copy and paste. The address looks identical in length and format to a real crypto address. The only way to detect it is to compare what you copied to what you are about to paste — character by character.

How does Zafu stop clipboard hijacking?

Zafu intercepts the paste event before it reaches the input field and compares the pasted address to the address you originally copied. If they differ, Zafu fires a HIJACKED warning showing exactly which characters changed. The paste is blocked until you confirm.

Zafu Security Guide · April 2026 · 6 min read

How Clipboard Hijacking Works in Crypto

Q: What is the difference between clipboard hijacking and address poisoning?

Clipboard hijacking replaces the address in your clipboard using malware on your device. Address poisoning plants a lookalike address in your transaction history so you copy the wrong one yourself. Both attacks exploit the paste moment — Zafu catches both.

Clipboard hijacking malware monitors your clipboard and silently swaps any cryptocurrency address you copy with an attacker's address — before you paste. The replacement is invisible. The loss is permanent. Here's exactly how it works and how to stop it.

The direct answer

When you copy a crypto address, that address lives in your operating system's clipboard until you paste it. Clipboard hijacking malware sits in the background, watching. The moment it sees a crypto address pattern (42 hex characters for EVM, base58 for Solana), it replaces it with the attacker's address — instantly, silently. You paste, the wallet auto-fills, and you send funds to the attacker's wallet.

By the time you notice, the transaction is confirmed and irreversible.

Scale: Clipboard hijackers drained an estimated $713 million via browser-based attacks in 2025 alone. Hundreds of malware families include clipboard monitoring as a standard feature.

Step-by-step: what happens during an attack

1

Malware installs a clipboard monitor. Usually delivered via a malicious browser extension, pirated software, fake wallet app, or trojanized download. The monitor runs silently in the background with no visible UI.
2

You copy a crypto address. From a friend's message, a DeFi interface, an exchange deposit page — anywhere. The address enters your clipboard normally.
3

The monitor detects the address pattern. EVM addresses match /0x[a-fA-F0-9]{40}/. Solana matches base58 strings of 32–44 characters. Both are trivial regex patterns.
4

The clipboard contents are replaced. The monitor writes the attacker's address over your address. This takes microseconds. No notification. No visible change.
5

You paste into your wallet. The wallet field fills with the attacker's address. It looks like a valid address — correct length, correct format. Nothing appears wrong.
6

You confirm and send. The blockchain confirms in seconds. Funds are gone. No chargeback, no recovery, no recourse.

Why it's impossible to detect visually

Here's what a clipboard hijack looks like on screen:

What you copied

COPIED 0x71C7656EC7ab88b098defB751B7401B5f6d8976F

What you pasted (after hijack)

HIJACKED 0x71C7656EC7ab88b098defB751B7401B5f6a19e2C

The addresses are the same length. Both start with 0x71C7. Both pass checksum validation. A human glancing at the paste field has zero chance of catching the replacement. Even if you check the first and last few characters — the standard "quick check" — a targeted hijacker can generate a replacement address that matches your intended recipient's prefix and suffix.

How attackers build clipboard hijackers

Clipboard monitoring is a standard OS feature — SetClipboardViewer on Windows, NSPasteboard callbacks on macOS. Any program can register as a clipboard listener. Crypto-targeting hijackers add a regex filter and a wallet address lookup table. The total code is under 100 lines in most malware families.

More sophisticated variants pre-generate vanity addresses that share the first 6 and last 4 characters with popular exchange deposit addresses — so even a careful user who does a partial check gets fooled.

Common delivery vectors

→

Malicious browser extensions — most common vector; extensions run in the browser process with clipboard access
→

Pirated software — game cracks, productivity app keygens with bundled clipper malware
→

Fake wallet apps — lookalike MetaMask, Phantom, Rabby installs from unofficial sources
→

Trojanized crypto tools — address converters, gas calculators, portfolio trackers
→

npm / PyPI packages — supply chain attacks targeting developer tools

How Zafu detects clipboard hijacking

Detection method: Zafu records the address you copied and intercepts every crypto-address paste before it reaches the input field. If the pasted address differs from the copied address, Zafu fires a HIJACKED warning and shows exactly which characters changed. The paste is blocked. You stay in control.

This works because Zafu operates at the paste event — the exact moment the hijacked address would enter your wallet. The comparison is deterministic: if copied !== pasted (same chain family), the HIJACKED state fires unconditionally.

Unlike antivirus software that tries to detect malware at install time, Zafu catches the hijack at the point of harm — regardless of which malware family performed the replacement, when it was installed, or whether any scanner has seen it before.

Frequently asked questions

Does clipboard hijacking only affect crypto?

No, but crypto is the primary target because transactions are irreversible and instant. The same technique is theoretically usable against bank routing numbers or email addresses, but the irreversibility of crypto makes it uniquely profitable for attackers.

Can a hardware wallet protect against clipboard hijacking?

Partially. A hardware wallet prompts you to verify the destination address on the device screen. If you check the device screen, you can catch the hijack. But many users skip the verification step or compare the wrong characters. Zafu catches it before the address reaches the wallet UI at all.

Is clipboard hijacking the same as address poisoning?

No. Clipboard hijacking uses malware on your device to replace an address you copied. Address poisoning plants a lookalike address in your transaction history so you copy the wrong address yourself. Both attack the paste moment — Zafu catches both with separate detection checks.

Does Zafu read my clipboard in the background?

Zafu only reads clipboard content during a paste event on a wallet or exchange page. It does not continuously monitor your clipboard. The copied address is stored only in browser session storage (cleared when you close the browser) and is never sent to any server.

What chains does Zafu protect?

Zafu detects clipboard hijacking for both EVM addresses (Ethereum, Polygon, Arbitrum, Base, and all EVM-compatible chains) and Solana addresses. ENS name resolution is also supported.

Stop clipboard hijacking before it costs you.

Free Chrome extension. No wallet access. Works across wallet and exchange websites.

Add to Chrome — Free

Also catches address poisoning, scam addresses, and community-flagged threats.