Your paste address changed itself: clipboard-hijacking malware

Home · Wrong-chain rescue · Clipboard-hijacking malware

Your paste address changed itself? Meet clipboard hijacking

ChainTunnel EditorialUpdated 2026-06-26About a 7-minute readspoke

Independent guide · not affiliated with Binance · not investment advice · fees and rules are whatever Binance's own page shows

Clipboard hijacking illustrated: a copied wallet address swapped by malware the moment it's pasted

You copy a wallet address, paste it into the withdrawal field, and reach for confirm. Everything looks fine — but the string you just pasted, is it really the one you copied a second ago? There's a class of malware that lives in exactly this gap. It doesn't steal your password. It quietly swaps out the address you copied. The crypto still goes out; someone else just collects it. That's clipboard hijacking.

This one's short. Three things, cleanly: how it pulls this off, how to catch it at a glance, and how to shut it out for good.

How it works: watching your clipboard

The mechanism is simple, almost brutally so. This kind of malware sits on your computer or phone and watches your clipboard in the background. Copy ordinary text and it ignores you. But the moment it sees you've copied something shaped like a crypto address — addresses follow fixed character patterns, so a program picks them out easily — it instantly replaces the clipboard contents with the attacker's own address.

Here's the nasty part: the address it swaps in is a perfectly valid, correctly formatted address. It passes every format check, the platform won't flag it, and unless you look closely you'll never notice. You think you're sending to your contact; you're sending to the attacker. And on-chain transfers can't be undone — once it confirms, it's gone. That's what makes this as costly as fat-fingering the address yourself, covered in can you recover a withdrawal sent to the wrong address.

How does it get onto your device? Usually you installed some sketchy software, clicked a phishing link, or picked it up bundled with a pirated or cracked program. It doesn't need to be clever. It only needs you to skip the check.

Its whole bet is "copy, paste, don't look"

Clipboard hijacking rides on one thing: most people copy an address, paste it, and hit confirm without a second glance. Build the habit of comparing the pasted address character by character and this attack mostly stops working on you.

How to spot it: the pasted address is different

There's only one reliable signal, but it's enough: the address you copied and the address that pastes out don't match.

How to actually check:

One more layer while you're at it: drop the address into the address validator to check the format is legit. Be clear on its limits, though — a validator only tells you whether it's a well-formed address. It can't tell you whether the address was swapped or whether it belongs to an attacker, because the swapped-in one is a valid address too. The only thing that catches the swap is you, comparing the pasted string against the original character by character.

How to block it: four moves

Nothing complicated to memorize. Stack these four and clipboard hijacking mostly stays outside the door:

1. Compare the start and end, character by character (the key one)

This is the only move that directly catches a swap, so once more: every time you paste an address, check the first and last few characters against the original. Make it muscle memory. Ten-odd seconds, and what it blocks is all of your principal.

2. Whitelist your regular addresses

Binance lets you add addresses you use often to an address whitelist. Set it up, then pick from the list instead of copy-pasting every time — one less copy is one less chance to be hijacked. Whitelist the addresses you send to regularly; it's the highest-value move here.

3. Send a small test before a big one

The first time you send to any address, push a few dollars first, confirm it actually arrived with the right person, then send the real amount. If the address was swapped, you're out that small test amount, not everything.

4. Scan regularly, and don't install sketchy software

Cut the infection off at the source: run full scans with trusted security software on a schedule; don't install pirated or cracked programs, don't click downloads inside unfamiliar links, don't add browser extensions from nowhere. A clean device gives hijacking nothing to work with. If you don't have a Binance account yet and want features like the withdrawal whitelist, you can sign up with invite code BNB986 (up to 20% off fees* — actual rate shown on Binance's page).

In one line

Clipboard hijacking works by swapping the address you copied. The swapped-in one is valid, fools the validator, but not a character-by-character check. Four moves block it: compare start and end after pasting, whitelist, send a small test, scan regularly. Crypto stolen this way almost never comes back, so this is a before-you-send problem. For more mistakes of the same family, see the deposit and withdrawal mistakes roundup.

Our invite code
BNB986
No Binance account yet? Sign up with this code for up to 20% off trading fees* (rate shown on Binance's page).
Open a Binance account →

This is our referral link; signing up gets you a fee discount, and we earn a referral commission from it, which doesn't cost you extra or change your fees. First check Binance is available where you live — if your region is restricted, don't sign up, and don't use a VPN or fake details to get around it.

FAQ

What is clipboard hijacking?

It's malware sitting quietly on your computer or phone, watching your clipboard. When it notices you've copied a wallet address, it swaps in the attacker's own address the moment you paste. Skip the careful check and you send the crypto to the attacker.

How do I know if the address was swapped?

Paste it into the field, then compare the pasted address against the original character by character, especially the first and last few characters. If they don't match, your clipboard may be hijacked — stop right away and run a scan.

Can I get back crypto stolen through clipboard hijacking?

Almost never. The attacker's address is valid, the crypto really goes there, and on-chain transfers can't be reversed. This risk can only be handled by checking before you send; afterward there's rarely anything to do.

Can an address validator catch a swapped address?

No. A validator only checks whether the format is valid, and the attacker's swapped-in address is just as valid and passes the check. To catch the swap, you have to compare the pasted address against the original yourself, character by character.

ChainTunnel Editorial

We're a small editorial team that writes about not getting burned moving crypto in and out. We use pen names and don't invent credentials. Steps here are checked against the official flow and against block explorers; this isn't investment advice. Spot an error? Write [email protected] and we'll fix it and date the correction.

Sources: Binance Help Center, Kaspersky security resources, Etherscan. Security advice here is general good practice, not an endorsement of any specific product; recovery of stolen funds is not guaranteed.