Bitcoin Forum

Just yesterday I was going to send some bitcoins to my friends address. He gave me his address, I copied it and went to send on my wallet. Suddenly I saw the address my friend gave me started with 3 but the address I pasted to send the transaction started with 1. I then copied other wallet addresses and pasted on notepad. And everytime it was another new address. This was some kind of clipboard hacking. Some kind of malware came into my laptop and started to do these. I think using faucets and other nsfw sites might have done this.
I scanned with my antivirus and MalwareBytes and it was resolved. But I wanted more safety so I did a full Windows re-installation.

Always try to avoid faucets with a lot of ads, don't click anything stupid, don't download anything unwanted.
And always double check addresses before sending any transaction.
Peace.

Hacking your clipboard is possible, instead of pasting the address you just copied recently but the address you'll paste os different which happen in your situation. You did well in cleaning your laptop by reinstalling your operating system which help cleaning your laptop. Some anti-viruses can't detect all viruses.

This is what you call copy-and-paste virus:

Copy-Paste Virus For Bitcoin Users -- Beware!!! (https://bitcointalk.org/index.php?topic=1841658.0)
affected by bitcoin Copy paste viruses (https://bitcointalk.org/index.php?topic=2278720.0)

You're lucky that you didn't send the bitcoin right away, otherwise it's goodbye. I'm sure you learn your lessons already so next time just be careful.

Did you install some browser extensions recently? Usually these are able to hijack your clipboard.

No, just metamask is there.

I think the op did install a browser extension which is the reason why the clipboard can be easily hijack by hackers. Browsers are the first step that the hacker can invade your devices through extensions and downloading unknown files or through pop-up ads.

100% it's a malware you got there. But I am not sure if it's due to those faucets where your computer got infected. Are you using google chrome because the browser prevents you from entering dangerous websites and will scan downloads. I highly suspect you installed an infected software which triggered the installation of the malware. Good thing though you notice the address was changed. You did the right thing by re-installing the entire OS which will also remove those other unwanted programs.

I generally do check addresses. But this is the only time it was entirely changed.
I am lucky that I didn't click the send button.
Yes, I thought re-installing OS would help, and it did.
Switching to Brave Browser for more ad blocking. <3

This probably is a known script in the Windows operating system and is used by many hackers out there to manipulate copy-paste or Keystroke activity of a victim. As per I know this is one of the old operating viruses and has not affected much in the crypto space currently. Rather there are many other similar scripts developed every day to manipulate the data on the web. We could say they are pretty common and most of the anti-virus even if they are some free ones, can detect it.

The reason behind you getting affected by the virus would probably be an unwilling click on some spammy stuff online which further led this virus to penetrate in your system and later manipulated your transactions.

My best solution to avoid such type of manipulation is using a Linux operating system which would surely keep you secure from such spammy scripts in the future.

I would suspect you were using a windows operating system right?

You could check this video, to know more about how does the malware work:

Windows ClipBoard Hijacker Swaps out CryptoCurrency Addresses (https://youtu.be/Ty-_IjavYH4)

I have my friends got victimized with this in the past, they are not careful in sending without double checking the recipient address
and their coins was gone. I'm glad they informed so I'm aware and more careful, I'm also not double stuff from the internet as that could be one of the cause, with my sensitive information in my computer, I only dedicate my PC on crypto thing.

Yes I am using Windows as stated in my post.
Using Linux may be a solution but sometimes Windows is the best way to go.
Thanks for your recommendations.

You probably not have such a good antivirus and you only use free version of Malwarebytes. Primary purpose of security software is to protect you from potential threats before they penetrate the system, and for that you should have proactive protection. Think about improving your security software, it is not too expensive, and in any case it is worth it.

I also browse some faucets, and it is true most of them have very aggressive advertising and potentially dangerous things, so without adequate protection no user should use such sites / or to use them with device which is not have any crypto wallet.

Well, sort of. But now I'm considering security seriously. Gonna buy a new premium antivirus.

This is not the new virus. The exact name of this virus in "Coin RPG Malware".
Please read below the 4 year old reddit post

https://www.reddit.com/r/Bitcoin/comments/29z742/help_freaking_outpasting_is_not_pasting_the/

Some faucets site have auto install script so even you are not clicking any ads the malware or virus will automatically install in your system.
So to avoid getting infected or attack by hackers use an updated antivirus that supports crypto protection like Kaspersky total security.

I never experienced any problem like clipboard virus. I have this virus on my rig miner but I don't use them for transferring bitcoin or any crypto.

It shows clipboard.exe on task manager that is why I restrict the windows when this clipboard.exe running because I don't know how to remove this without waiting too long to scan the rig.

Anyway, I just use my rig for mining and everything there including the bat script is edited from my laptop before I transfer them to the mining rig.

Always make sure that you are using antivirus and you will be fine to protect your self from malware and viruses. Don't use AVG, Avast and McAfee it may lead to more malware and advertisement.

ESET and Kaspersky are the best for me because after you download a file or going to a website if they found suspicious or viruses they will automatically disinfect the file or delete without asking you.

You infected your PC somehow. Best way to fight this is to reinstall whole operating system you have. Cleaning virus is never 100% precise and you can't be sure it was destroyed completly. Best course of action is to reinstall OS as you mentioned.
Learn about computer hygiene for future actions and to not loose ur Bitcoins.

I use Linux too and yes for now it feels safe but that does not mean that someone out there will not consider making malware for Linux too. I think the reason we don't have so many such cases in Linux is because it does not have a big user base as windows so making malware for Linux does not seem profitable and feasible for the hackers.

Care always has to be taken care off regardless of the operating system because you never know on which side of the bed the hacker might wake up from one day  ;D

Add the NoScript add on to the list. I currently use it in Mozilla Firefox and it blocks all suspicious scripts while you browser through different web pages. The power is in your hands on what script to unblock and which to keep blocked. This can prevent necessary downloading of malware or infection of your web browser without your knowledge.

Thanks for sharing this information. For safety I clear my clip boards daily and always write down any important information or data I need. I regularly also scan my device for virus or malware. We should all always be security conscious. Especially when dealing with unverified links and apps.

I would also advise to start using the Brave browser, best browser out there in my opinion when it comes to security and protecting yourself.

I have also experienced the same thing as what happened to yours. You must double check every time you make transactions because you wouldn't know if the address you were going to send your coins is not really yours.

Good thing that there's a noticeable difference in one glance. If ever your friend's address starts in 1 as well and you're not cautious, you might have been a victim.

Double/triple checking the recipient address will always be the best thing to do, people should make this a habit even without knowing about this malware.

While this is true, Linux is also more inherently resistant to attacks than Windows thanks to its architecture. Attacking Linux systems mostly entails exploiting vulnerabilities, whereas an attacker only needs to find a way to run a script or two in Windows. Neither is completely secure for sure, but if your activities include visiting shady sites and/or downloading a bunch of media, you're much better of running Linux than Windows.

That being said, if you're using your computer to handle crypto, you shouldn't be doing anything risky with it no matter which OS you use. You may think that you know how to take care of yourself, but that's exactly what countless other victims before you had assumed.

Hence my personal text xD ;D

You should probably respond to this:

https://bitcointalk.org/index.php?topic=5113985.0

This is not the first case I've come across on this sort of thing, malwares breaking into people's keyboards and revealing wrong information which would lead to funds been lost.
You have done good to alert others about this and also have to be careful sites you click on,most Links been shared most times are links containing malware virus.

If you use some script which is not updated hackers or those who created the autoinstall script from the site can be upgraded in the future and can bypass those not updated scripts protection.

So For me installing antivirus which is updated, you can prevent the PC become infected with Malware and viruses.
It's not a problem to pay for annually license because it gives you more protect than a free one.

For what it's worth, I've been seeing a lot more knowledgeable people recommend running a combination of Windows Defender and Malwarebytes. It's not bulletproof by any means, but that setup along with common sense should be able to protect most users from most threats and they get to avoid shady antiviruses.

It would be good practice to install as few programs as possible nowadays, as you can't really trust any company, even  antiviruses (https://www.bankinfosecurity.com/eu-claims-kaspersky-lab-software-confirmed-as-malicious-a-11080).

thanks for the warning. would be interesting to know what malware caused this behavior.
so before each transaction at least match the first few characters is certainly no mistake ;)

Yes, I don't think you need to check more than a few characters. Sometimes checking two starting characters and two ending ones work well.
This (https://techcrunch.com/2018/07/03/new-malware-highjacks-your-windows-clipboard-to-change-crypto-addresses/) might help to learn a little bit about the malware.

Im 90% sure that it's from NSFW sites and OP surely did some clickbait.

Again, even without anti-virus (or using free ones), we can be safe. Sometimes malware enters the system because of the users fault.

Anyways, if you are not that overprotective, no need to change on another OS. Windows is enough and it's built-in defender. While planning to purchase premium anti-virus, you must also upgrade your own knowledge about dealing on any links/sites. That's the reason you fall to their bait.

Remember even how powerful your security is, considered that as secondary defense. Your primary defense is your ability to recognized good links to sh*t ones.

If you still have the logs coming from Malwarebytes, you can also share it for others reference.

I suspect NSFW sites also. And yes, I'm not considering switching OS at all. Windows Defender also is enough I guess (if we follow your recommendation of increasing knowledge about dealing with the web). Currently I'm not getting anything as I had a full reinstallation of Windows. Trying my best to keep my laptop safe this time. :)

Yeah, you have the point but this antivirus is safer as I tested it for a long time. I don't know how to explain it but I am using this antivirus for a long time and never experience any attacks or viruses that I heard from here.

They have antivirus just made for protecting crypto and you must also be knowledgable on how to protect your wallet by adding password like on electrum wallet where you can choose to encrypt your wallet with your password or not.

Don't worry I will report it here if I experience some suspicious or my wallet been hack While using this Kaspersky.

I have similar experience. I played with faucet last year and when I tried to login a website, it automatic go to other virus website, since then I stopped login faucet and block many website. I am agreed here we have to be carefully login with faucet, try to avoid the faucet pop up imagine.

But the problem is, most of the faucets run on advertising, clicking ads, popups, popunders, trackers and other malicious things. So we should take preparations well enough to deal with these problems for any site.

Indeed. Did you learn from your mistake? If there is something you should not do with windows, is serious money or production stuff. Sounds contradictory, but it is actually more difficult to secure Windows than Linux.

You should have a Linux PC/Laptop/Tablet to do these "serious" money operations.

Will follow this recommendation. I had used Linux on my PC but never installed Linux on my laptop. Recently I'm using windows much more.
I'm considering using Brave Browser and a Premium Antivirus now for better safety. Let's see what comes next.   

Lol what, you're actually using Kapersky? Well yeah it should be safe for general use, it's probably just shady in terms of sending activity patterns, etc. There hasn't actually been any reports of crypto hacks involving them, it's mostly country states saying that the Russian government is using them to spy. If it works for you, great, but that should be a thinking point for when your subscription ends.