How it works
Everything you copy passes through your clipboard, a small piece of shared memory that any running program can read and write. A clipper takes advantage of that. It sits quietly in the background and watches the clipboard, waiting for a pattern it recognizes.
- It monitors. The malware polls the clipboard continuously, checking whatever you last copied.
- It detects a pattern. Cryptocurrency wallet addresses have distinctive shapes, a Bitcoin address, an Ethereum address, and so on, so the malware can spot one with a simple pattern match.
- It substitutes. The instant it sees a match, it overwrites the clipboard with the attacker’s address, either the moment you copy or the moment you paste.
- You paste what looks right. The pasted value is a valid, correctly formatted address, so nothing looks off. You confirm the transaction, and it goes to the attacker.
The reason this works is that nobody types a wallet address by hand. They are long, random strings, so copy and paste is the only sane way to move one. The attacker does not need to break any encryption or steal a password. They just need to be the last thing that touched your clipboard.
Real cases
This is not hypothetical. Security vendors have tracked clipboard-hijacking malware for years, and major exchanges have issued public warnings about it.
- In September 2024, Binance issued a public advisory about a rising clipper malware threat, noting a spike in activity around August 27, 2024, and that many victims picked up the malware through unofficial apps and plugins, with attacks largely targeting mobile users because typing a wallet address by hand is so awkward there. Binance said it was blocklisting attacker addresses and notifying affected users. Source (2024)
- In November 2022, BleepingComputer documented Laplas Clipper, a clipboard hijacker that goes a step further: instead of pasting an obviously different address, it substitutes one that matches the first and last few characters of the address you copied, so a quick glance does not catch it. Laplas was sold as a subscription tool and distributed through loaders like SmokeLoader. Source (2022)
- Clipboard snooping is a broader problem than crypto theft. In March 2023, Microsoft’s security team reported that an older version of the SHEIN Android app, which has over 100 million downloads, periodically read the device clipboard and, when the contents matched a pattern, sent them to a remote server. SHEIN removed the behavior after it was reported. It is a reminder that the clipboard is a target well beyond wallet addresses. Source (2023)
One honest caveat on the numbers. Total dollar losses to clipboard-swapping malware are hard to total, because the thefts are scattered across many victims and many campaigns, and much of it goes unreported. We have not found a credible, specific figure, so we do not quote one. The verifiable takeaway is that this is an active, tracked threat, and that copy and paste is the exact moment it exploits.
How to protect yourself
There is no single switch that stops this, but a few habits close most of the gap. In rough order of impact:
- Verify the first and last characters of a pasted wallet address. Before you send anything, check that the address you pasted matches the one you copied, character for character at both ends. Lookalike clippers count on you skipping this.
- Use QR codes or an address book where possible. Scanning a QR code or picking a saved contact skips the clipboard entirely, which removes the window the malware needs.
- Keep your OS and antivirus updated. A clipper is still malware. Current security updates and a reputable, up-to-date antivirus catch a large share of these before they run.
- Be cautious with pirated software. Cracked apps, key generators, and unofficial downloads are a common delivery vector for clippers. This is one of the highest-payoff habits to change.
- Use a clipboard manager that keeps a visible history. When you can see what you actually copied, a silent swap is far easier to catch, because the pasted value will not match the record.
Where a clipboard manager helps (and where it does not)
It is worth being precise about what a clipboard manager can and cannot do here, because it is easy to overclaim.
What it helps with
Relic keeps a searchable history of what you actually copied. If a clipper swaps a wallet address, the address you originally copied is still sitting in your history, so you can compare it against what got pasted and spot the mismatch. That visibility is the real value. Relic also encrypts that history on your device with XChaCha20-Poly1305 and Argon2id, so the stored record and, if you sync, the server only ever hold ciphertext neither we nor anyone else can read.
What it does not do
Relic is not antivirus. It does not block malware, does not stop a clipper from running, and does not prevent an infection. If a clipper is already on your machine, it can still swap your clipboard, and a clipboard manager will record the swap rather than prevent it. The honest framing is that the value here is visibility and an encrypted record of what you copied, not protection from infection. That protection comes from your antivirus, your updates, and your download habits.
| Antivirus | Relic | |
|---|---|---|
| Blocks or removes the malware | ||
| Stops the clipboard from being swapped | ||
| Shows what you actually copied | ||
| Encrypted history of your clipboard |
The two work in different lanes. Antivirus is what keeps the clipper off your machine. A clipboard manager with a visible, encrypted history is what helps you notice when something copy-and-pasted does not add up. To be honest about scope: Relic’s desktop client is live on Windows today, other desktop platforms are in beta, and on phones it is a browse-and-search companion rather than a background recorder.
Frequently asked questions
I pasted a crypto address and it changed. What happened?
That is the signature of clipboard hijacking, also called clipper malware. A program running on your device watched your clipboard, recognized that you had copied a cryptocurrency wallet address, and swapped it for the attacker's address at the moment you copied or pasted. The value looks like a valid address, so nothing seems wrong until the money lands in the wrong wallet. If a transaction has already gone through, it is almost certainly unrecoverable, and you should treat the device as compromised, run a full antivirus scan, and check for suspicious apps or browser extensions.
What is a clipper?
A clipper, or clipper malware, is a type of malware whose whole job is to monitor your clipboard and replace what you copied with something the attacker controls. The classic target is a cryptocurrency wallet address, because those are long strings nobody types by hand, so almost everyone copies and pastes them. Some clippers, like Laplas, even substitute an address that starts and ends with the same characters as yours to slip past a quick glance.
How do I know if I have clipboard malware?
The clearest sign is a pasted value that does not match what you copied, especially a wallet address whose middle characters are different. Beyond that it hides well. Run a reputable antivirus scan, review installed programs and browser extensions for anything you do not recognize, and be extra suspicious if you recently installed pirated or cracked software, which is a common delivery route. A clipboard manager that keeps a visible history also helps, because you can compare what you actually copied against what got pasted.
Does a clipboard manager protect me from clipper malware?
Not directly. Relic is not antivirus and does not block malware or stop an infection. What it gives you is visibility: a searchable history of what you actually copied, so a silent swap is easier to notice when the pasted value does not match the record. That history is encrypted on your device with XChaCha20-Poly1305 and Argon2id. The protection against infection still comes from good security hygiene and antivirus, not from the clipboard manager.
Where does clipboard hijacking malware come from?
It usually arrives bundled with something else. Common routes include pirated or cracked software and key generators, fake or unofficial app downloads, malicious browser extensions, and loaders like SmokeLoader that install a clipper as one of several payloads. Binance's 2024 advisory noted that many victims picked it up from unofficial apps and plugins, often while searching for software in their own language through unofficial channels.