Protect Your Clipboard From Crypto Address Swapping Attacks

The attack that has drained millions in crypto

The scenario: you're sending cryptocurrency. You copy the recipient's wallet address, switch to your exchange or wallet app, paste it in, and send the transaction. The funds go to the wrong address. Irreversibly.

This is clipboard hijacking, and it's one of the most financially damaging forms of malware in the crypto space. Estimates put total losses from clipboard hijackers in the hundreds of millions of dollars.

How address swapping works

Clipboard hijackers work in two main forms:

Desktop malware: A malicious process runs in the background and monitors your clipboard. When it detects something that looks like a crypto wallet address (the pattern-match is easy — addresses have characteristic formats for each blockchain), it immediately overwrites your clipboard with an attacker-controlled address. By the time you paste, you're pasting the wrong address.

Browser-based: A malicious script on a compromised website (or in a browser extension with clipboard access) uses the Clipboard API to both read your clipboard and write to it. When it detects a wallet address, it replaces it.

The browser-based variant is particularly insidious because you might be on what appears to be a legitimate website — perhaps a DEX or DeFi protocol that's been compromised at the CDN or third-party script level — and the swap happens invisibly.

Why people don't catch it

Wallet addresses are long strings of random-looking characters. No one memorizes them. You copy, you paste, you move on. There's no obvious signal that the address changed between copy and paste.

Some exchanges show a partial preview of the pasted address, but most people don't compare it character by character. The attacker's address looks like any other string.

How to verify before sending

Good habit: after pasting a wallet address, compare at minimum the first 4-6 characters and the last 4-6 characters to the original. This doesn't catch every case but it catches naive clipboard swappers that use a fixed replacement address.

Better habit: use a hardware wallet or signing device that shows the destination address on its own screen. The address on the device screen can't be manipulated by clipboard malware.

Best habit: use both verification and a clipboard protection tool.

How Clipboard Guard blocks this

Clipboard Guard intercepts clipboard writes from web pages. When a site tries to write to your clipboard (the mechanism browser-based hijackers use), Clipboard Guard can block the write or notify you first.

Install it from the Chrome Web Store. In its settings, enable "Block clipboard writes" or "Prompt before clipboard writes" depending on how much friction you want. For crypto-related browsing, blocking writes entirely is the safe default — legitimate sites rarely need to write to your clipboard silently.

For protection against OS-level clipboard malware (not browser-based), you'll need a separate anti-malware tool. Clipboard Guard works within the browser sandbox and can't inspect or intercept changes made by desktop processes.

A defense-in-depth checklist

• Install Clipboard Guard and block silent clipboard writes in Chrome
• Always verify at least the first and last four characters of a pasted address before sending
• On large transactions, type the first few characters manually and verify the rest
• Use hardware wallet confirmation screens for significant transfers
• Keep your operating system and browser updated (many clipboard malware variants target known vulnerabilities)
• Be cautious with browser extensions — every extension with clipboard access can read and write your clipboard

Conclusion

Clipboard address swapping is a simple attack with catastrophic consequences. The defense — combining clipboard write protection in the browser with manual address verification — is also simple. It takes thirty seconds to set up and could save you from an unrecoverable loss.