You copy a wallet address, paste it into the withdrawal field, and reach for confirm. Everything looks fine — but the string you just pasted, is it really the one you copied a second ago? There's a class of malware that lives in exactly this gap. It doesn't steal your password. It quietly swaps out the address you copied. The crypto still goes out; someone else just collects it. That's clipboard hijacking.
This one's short. Three things, cleanly: how it pulls this off, how to catch it at a glance, and how to shut it out for good.
What's in here
How it works: watching your clipboard
The mechanism is simple, almost brutally so. This kind of malware sits on your computer or phone and watches your clipboard in the background. Copy ordinary text and it ignores you. But the moment it sees you've copied something shaped like a crypto address — addresses follow fixed character patterns, so a program picks them out easily — it instantly replaces the clipboard contents with the attacker's own address.
Here's the nasty part: the address it swaps in is a perfectly valid, correctly formatted address. It passes every format check, the platform won't flag it, and unless you look closely you'll never notice. You think you're sending to your contact; you're sending to the attacker. And on-chain transfers can't be undone — once it confirms, it's gone. That's what makes this as costly as fat-fingering the address yourself, covered in can you recover a withdrawal sent to the wrong address.
How does it get onto your device? Usually you installed some sketchy software, clicked a phishing link, or picked it up bundled with a pirated or cracked program. It doesn't need to be clever. It only needs you to skip the check.
Clipboard hijacking rides on one thing: most people copy an address, paste it, and hit confirm without a second glance. Build the habit of comparing the pasted address character by character and this attack mostly stops working on you.
How to spot it: the pasted address is different
There's only one reliable signal, but it's enough: the address you copied and the address that pastes out don't match.
How to actually check:
- Paste it out and look, right away. Once the address is in the field, don't rush ahead. Stop, and put it side by side with the original — the string the other person sent you.
- Focus on the first and last few characters. The address is long; you don't need to read every character. But compare the first 4-6 and the last 4-6 character by character. Hijacking swaps the whole string, so the start and end always change too — checking both ends is enough to catch it.
- If they don't match, stop immediately. Don't think "let me just copy it again" — as long as the clipboard is hijacked, it swaps every time you copy. Halt all transfers and go run a scan (next section).
One more layer while you're at it: drop the address into the address validator to check the format is legit. Be clear on its limits, though — a validator only tells you whether it's a well-formed address. It can't tell you whether the address was swapped or whether it belongs to an attacker, because the swapped-in one is a valid address too. The only thing that catches the swap is you, comparing the pasted string against the original character by character.
How to block it: four moves
Nothing complicated to memorize. Stack these four and clipboard hijacking mostly stays outside the door:
1. Compare the start and end, character by character (the key one)
This is the only move that directly catches a swap, so once more: every time you paste an address, check the first and last few characters against the original. Make it muscle memory. Ten-odd seconds, and what it blocks is all of your principal.
2. Whitelist your regular addresses
Binance lets you add addresses you use often to an address whitelist. Set it up, then pick from the list instead of copy-pasting every time — one less copy is one less chance to be hijacked. Whitelist the addresses you send to regularly; it's the highest-value move here.
3. Send a small test before a big one
The first time you send to any address, push a few dollars first, confirm it actually arrived with the right person, then send the real amount. If the address was swapped, you're out that small test amount, not everything.
4. Scan regularly, and don't install sketchy software
Cut the infection off at the source: run full scans with trusted security software on a schedule; don't install pirated or cracked programs, don't click downloads inside unfamiliar links, don't add browser extensions from nowhere. A clean device gives hijacking nothing to work with. If you don't have a Binance account yet and want features like the withdrawal whitelist, you can sign up with invite code BNB986 (up to 20% off fees* — actual rate shown on Binance's page).
Clipboard hijacking works by swapping the address you copied. The swapped-in one is valid, fools the validator, but not a character-by-character check. Four moves block it: compare start and end after pasting, whitelist, send a small test, scan regularly. Crypto stolen this way almost never comes back, so this is a before-you-send problem. For more mistakes of the same family, see the deposit and withdrawal mistakes roundup.
This is our referral link; signing up gets you a fee discount, and we earn a referral commission from it, which doesn't cost you extra or change your fees. First check Binance is available where you live — if your region is restricted, don't sign up, and don't use a VPN or fake details to get around it.
FAQ
What is clipboard hijacking?
It's malware sitting quietly on your computer or phone, watching your clipboard. When it notices you've copied a wallet address, it swaps in the attacker's own address the moment you paste. Skip the careful check and you send the crypto to the attacker.
How do I know if the address was swapped?
Paste it into the field, then compare the pasted address against the original character by character, especially the first and last few characters. If they don't match, your clipboard may be hijacked — stop right away and run a scan.
Can I get back crypto stolen through clipboard hijacking?
Almost never. The attacker's address is valid, the crypto really goes there, and on-chain transfers can't be reversed. This risk can only be handled by checking before you send; afterward there's rarely anything to do.
Can an address validator catch a swapped address?
No. A validator only checks whether the format is valid, and the attacker's swapped-in address is just as valid and passes the check. To catch the swap, you have to compare the pasted address against the original yourself, character by character.
Read next
Can you recover a withdrawal sent to the wrong address? It depends Deposit and withdrawal mistakes: the roundup Picked the wrong network — are the funds safe? Check the format with the address validatorSources: Binance Help Center, Kaspersky security resources, Etherscan. Security advice here is general good practice, not an endorsement of any specific product; recovery of stolen funds is not guaranteed.
