Bitcoin Forum

I just saw another victim (https://bitcointalk.org/index.php?topic=5190626) of clipboard hijacker malware (https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/).

How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

How to prevent this
1. Don't use Windows (https://bitcointalk.org/index.php?topic=5190626.msg52680459#msg52680459), but we both know you're not going to change that.
2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.
3. I came up with something else: don't copy the entire Bitcoin address, copy only a part, and manually type the last few characters. Even if the malware exchanges the incomplete Bitcoin address by their own, your wallet won't accept the (invalid) address if you've typed a few more characters by yourself.
You'll still need to follow Step 2 after this: check the address!
4. Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-C. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too!
5. I'll add o_e_l_e_o (https://bitcointalk.org/index.php?action=profile;u=1188543)'s suggestion here:

Stay vigilant
Check, double check and tripple check before sending funds!


No spam please
I said please :D
I'll remove excessive quotes (http://loyce.club/archive/posts/5268/52683639.html).

I was a victim year ago and I would like to add one more think to your post.

If you see that your address are being changed that means your system is affected by the malware. To resolve it permanently please change the hard-disk of your system and install Ubuntu. This is what I was advice to do. And how to be aware is already addressed by OP.

It is better not to download or browser random stuff on the system which you use for trading or storing your funds. Definitely not a good exercise to store funds in desktop wallets but if you have store then be aware.

Now im getting worried with that Windows 10 Cortana and currently been tweaking out its privacy settings.Is this really a keylogger?. So far i havent experienced any clipboard malwares but i do have that behavior on double-triple checking address before sending out  some coins.

Thanks for the reminders and this isnt a spam.  :-*

Pity that it never happened with me :-P

Well on a serious note, staying a bit careful before downloading or clicking any link solves the problem more that 50% I would say. The rest is coming with the external device like USB sticks we use. If we are not sure about the device status (whether it's clean or not), we should not inject them in our USB port.

I hope it was not spam? :-P

Edit: By the way, how about using a multiSig address? If your device is compromised and the address has changed you can see it once you load the tx file in the other device before final sing and broadcasting.

 ;D.
I also found this article : First Android Clipboard Hijacking Crypto Malware Found On Google Play Store (https://amp.thehackernews.com/thn/2019/02/android-clickboard-hijacking.html).
Android seems vulnerable too and it was found on Google Play Store, it this already found, for sure there are already some android app spreading with this kind of malware.

As stated on the article, most of the android app that has like this kind of malware are those impersonating android app fake android app, just like bitcoin wallet.
Since that is also about cryptocurrency.

I may post this on my Daily news on our local board. thanks for the info bro. Cause I often use this feature in windows when I'm sending some BTC to my exchanges address. thankfully I double-check the addresses before I send it. therefore every time we send some BTC we don't need to rush for it it is always better to see the address if it is right or else you will get nothing even after a hundred confirmation in the transactions.  ;D ;D

From what I personally notice with the clipboard/copy and paste virus it only gives you a similar address only to the first few characters of your own address sometimes also the last few characters at the end of your address are also similar as well. But if you look at the middle part you will see that there is no similarity at all in fact they are completely different. For people that has known and used their address for a long time now you can immediately spot the differences. I do recommend people trying it out on there Windows pc if they have the clipboard virus by just simply trying to copy/paste the address you have so that you are always aware that your pc is clean from that malware.
 

Its really a matter of concern that in every single second these hackers are trying to discover new ways for stealing fund from our wallet. Basically most of us like to complete copy-paste by using our keyboard option and these hackers wisely targeted that area to make users fool. To keep us secure from this kinda keyboard malware sender should be much careful during completing transactions from one address to another.

▪︎ Please double check the receiver address before clicking the final confirmation button.
▪︎ After pasting the address please check similarities between both address part by part. Don't give priority to few first charecters only where its necessary to check middle and last part too.
▪︎ You can take the help of notepad to match both addresses easily.

This also happens in Android OS more frequently, I believe, as there are random apps capable of snooping data up to system-level and change some of the configurations and voila! Your Android phone is infected! We also know that there are still a lot of people downloading apps that are not from official releases and from the official Playstore in order to get some cracked APKs for their games, apps etc and that is alarming. I almost became a victim of the clipboard hijack thingy just a couple months back by downloading this file manager from a XDA-Developers post (which has since been removed thankfully).


Knowing how Google Play checks every app on their store before getting it live, it's really rare for a malware-infected app to get through. This might be the first one recorded, but I'm pretty sure that there are tons existing out there in the wild.

If I can suggest a simple work around to avoid this kind of theft, I can suggest a easy virtual machine installation
I use it for my home banking and Crypto transfers.
An USB, 128gb or more to get acceptable performance
All the address saved in the task bar to avoid fake site found by googling
Linux lubuntu, a lighted and fast version of Linux.
When I need to use home baking or Crypto wallet I use this USB. I called it bank box.
Not sure at 100, but for sure more Than home pc.
If I'm forced to use it from my home pc, I usually check the first and last 3 or for address chars.

Does anyone else find the SegWit bech32 (bc1...) addresses harder to verify visually? I don't know if it's the long prefix or the all lowercase format but it's just so unwieldy.

But even since before SegWit I got used to Ctrl-C + Ctrl-F re-verification - it's quick and works well. Speaking of that - I think this is an error:


I think it should be Ctrl-C, then Ctrl-F, then Ctrl-V.

Yes. Windows 10 has a built in keylogger, and it sends everything you type to Microsoft for "analysis". See the following links:

https://www.pcworld.com/article/2974057/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html
https://www.technorms.com/45807/turn-windows-10-keylogger-improved-data-privacy
https://www.techadvisor.co.uk/how-to/windows/how-disable-hidden-keylogger-in-windows-10-3639643/

But on a much wider scale, Windows 10 is a privacy nightmare. It collects everything from your keystrokes and voice input to your contacts, emails, browsing history, location history, etc., etc. Turning off all the telemetry and turning all the privacy settings to max doesn't help. Have a read of these reports if you want to be really worried:

https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
https://thehackernews.com/2016/02/microsoft-windows10-privacy.html

Even with these features disabled via group policies, Cortana is still sending your search history to Microsoft, and OneDrive is phoning home for unknown reasons, for example. Even with all telemetry features disabled, Windows 10 still made a staggering 5,500 connections to almost 100 different IP address in only 8 hours.

As LoyceV says, don't use Windows.

---

Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, its very easy to check the entire address and not just a few characters at the start or end.

Nothing wrong with that tutorial, Why CTRL+V, then CTRL+F, then CTRL-V, After you have copied wallet address, you need to paste clipboard. It means we need the first CTRL+V, After we are pasted wallet address, we need to check wallet address from clipboard results, then we need CTRL+F.  The last CTRL+V is for a paste wallet address on the search form.

So, for complete process is CTRL+C > CTRL+V > CTRL+F > CTRL+V, like LoyceV says.

I also used a virtual machine for some time and it was with lubuntu too.
But still, this method, although safer, also has drawbacks if a trojan settles on the main computer.
Therefore, over time, I moved to an old dedicated laptop.

I hope did you turn off access to the host clipboard in the guest isolation settings?

I also think that 3+3 characters is not enough. It is possible to do hijacker that will pick up a larger number of characters.

OK for the keyboard host settings.
But I think vm remain one of the most secure and safe behavior against theft.
But this is true, if you just use this virtual machine for that task.
Never navigate on internet fron bank box, neve read email from there.
Do just bank/Crypto transfert from saved Link.

No, the post says to select a part of the pasted address, I assume to avoid triggering the clipboard malware. It wouldn't make sense to do Ctrl-V immediately after selecting a piece of text. Anyway, it's been fixed so not an issue anymore.

Your method works too but only if malware doesn't do reverse substitution.

I become aware of that two years ago it was big news back then, that was one of the reasons I add another anti-malware on my computer I also develop a habit where I will wait 30 seconds before sending the funds I will look on the first three character and the last three character to make sure I'm sending to the right address, if you're aware on something like this you will develop a precautionary measure so that it will not happen to you.

Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.
And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.

Isn't it enough to check just the fist 4-5 and last 4-5 characters? This is what I do every time, if the first and last match I don't think I'm in danger.  If they manage to generate address similar to the address you are paying to with the first few characters, checking the last ones should make it super save, am I wrong?

I can imagine malware that connects to an external server, which stores a large database of pre-created addresses.

There's also malware that monitors 2.3 million Bitcoin addresses (https://www.bleepingcomputer.com/news/security/clipboard-hijacker-malware-monitors-23-million-bitcoin-addresses/): thanks to the public blockchain it's easy to create a list of all addresses that are worth stealing, and include a couple million similar addresses in the malware.

It's probably enough, but I prefer a higher degree of certainty than just "probably".

Another argument for not reusing Bitcoin addresses but that's unfortunately not feasible when you have for example exchanges that issue one deposit address and don't even allow to change it manually (an argument to not use centralized exchanges I guess).

Given the sheer amount of addresses in the whole key space of bitcoin and other cryptocurrencies, this is already a good practice knowing that two addresses having almost the same characters as another one would be pretty slim. Though of course for the ultra-paranoid in us, 4-5 characters isn't really enough and therefore having two addresses side-by-side is still a (somewhat) bulletproof practice as suggested by o_e_l_e_o.


The horrors of Windows in general. Every single data we have on our PCs we don't own completely, but we actually share it with Microsoft the moment we started using their operating system. The mere fact that most of the computers in the whole world runs with Windows is already an alarming thought, but what is there to do when Microsoft knows how to make things work with laymen? Of course, you wouldn't expect non-techie people to use CLI-based OS such as Linux just to be secured, and while being secure, Mac isn't really an option too knowing how costly it is to have one. Hackintosh is possible, but with limitations and bugs too.

This is the only choice that matters. You are a pessimist by rejecting the only logical choice beforehand.

Most people don't need Windows, all they need is a browser, and the likes of Chrome run in Linux perfectly fine. That attitude of yours, i have seen it in decades, and it only ends in grief.

Drop Windows and 80% of the issues are gone. If you need a "games" computer, have both separate. Money and serious things in one, the rest in the other.

Don't bother with dual boot, people lack the discipline to NOT boot Windows (or OSX).

None of your "tips" are really effective under a malware ridden windows computer, because you don't know beforehand the exact nature of the malware. Its not just malware that recognizes bitcoin addresses and change it, there are several more vectors for stealing, such as taking your privkeys/seed words, or hijacking your dns, but to name them all would make a book.

Money handling should not be done with insecure OSes, period.

Of course :) But 1.5 billion people (https://en.wikipedia.org/wiki/Usage_share_of_operating_systems) use Windows for anything. If we could wipe out that insecure OS that would be great, but I'm trying to be realistic here: it's not going to happen.

I think you are too categorical. Ideal operating systems do not exist, and the romantic halo around Linux often disappears when you try to make him friends with your computer hardware. If you are not a bearded admin in a sweater, but an ordinary user, migrating to Linux may not be an easy task. I use a hardware wallet and check the address before sending, and until everything is fine.  :)

Aren't you being a little pessimistic yourself as well? I understand that getting people to stop using Windows is an uphill battle, but I'd think more people would be open to a dual boot set up than having two different devices for different purposes. (Edit: Maybe we should be promoting the use of Raspberry Pis instead lol)

Either way, while I completely agree that people shouldn't be using Windows for crypto (or anything else you could do with Linux really), I wouldn't go as far as saying it's insecure. It's certainly much less secure, but I don't expect a person who knows what they're doing to have any issues with it. Awareness is so much more important for security because no OS will protect you from everything. The info that LoyceV provided would probably help more users than simply saying "Don't use Windows!", for one.


The funny thing is, if everyone started using Linux instead and it got all the attention from bad actors that Windows does, users would probably just as vulnerable even with Linux's fundamentally stronger security. People do a lot of stupid shit for free stuff and/or whatever else they want, and no OS can really address that lol.


I've found that things have gotten a lot better on this end in recent years. Even then, most people only really have basic stuff anyway, and people with the more technical hardware tend to be more technical themselves.

I sincerely don't understand what "monitoring" means here...
Are they monitoring used addresses so if a user tries to send a transaction to a known adress they have one resembling it to replace it?
That would be more effective for a reused address but a total fails with newly generated addresses.

Also, one of the exchanges I use gives me the same deposit address each time, but every time I deposit something the adress is emptied in the next block in a batch transaction collecting funds, so ...that would probably make the adress free from monitoring?  ;D ;D  I really wonder how they are choosing them..



But a monkey behind a Volvo and it will become the deadliest car in history.

The situation is really changing for the better and the Linux desktop is becoming more and more friendly to the average user, but it's too early to talk about any significant successes. Linux is the king of servers, and the market share is near zero on desktops. This is the reality of today. :)

It would be easier for Linux to succeed on desktops, but in fairness, I note that Windows 10 is not so bad, it has a built-in security center and rumors about the impossibility of disconnecting Cortana are greatly exaggerated.

Good question, now I'm not so sure. I would have expected the malware to detect Bitcoin addresses based on the format, instead of based on a very long list of known addresses. It's quite easy to know if a certain string is a Bitcoin address.

From loyce.club last month:
Windows 63.2%
Linux 17.2%
Macintosh 1.6%
iOS 4.4%
Unknown 13.3%

Meanwhile, 4.1% of all pages was loaded from Windows XP (I'm not sure if Tor-browsers still identify themselves as Windows XP), 23.8% Windows 7 and 33.8% Windows 10.
And 3.9% of the users use Android, which is counted as Linux.

People interested in crypto are usually more advanced in IT and are difficult to consider as ordinary users. I also want to note that if you consider Android as Linux, it would be logical and iOS + MacOS should also be considered as Linux, because they also have common roots. I'm talking about Linux desktop, such as Ubuntu. Market success of Android is difficult to question. :)

My PC got infected once with this malware.
It changes Eth addresses from the one you copy to the hacker's address.
I was lucky and didn't lose anything because I discovered it when I was checking tokens values on etherdelta.
I was copying the token's contract address and pasting it in the navigation bar which redirects me to the exchange's home page everytime.

َAll I did to resolve the problem is copying a part of the address (all of it except the last char).
I confirm that this solution works for Ethereum addresses since they all have the same length which is not the case for Bitcoin addresses.

This is for me the best thing to do to prevent getting scammed by these hardcore stupid scammers/hackers.

Yes it is a lot of work to do. You will see if what you have pasted is the same with the one where you get your address but if you are sending a huge funds, you will double or triple check it so that you will be comfortable in sending it.

Lucky for me that I didn't encounter such things like this at this moment and I hope I will not encounter it :D.

Just comes to show how careless people are in general. It only takes like what? less than 5 seconds to double check the address you're sending the funds to? But yet people don't do it. It's so mind boggling how lazy and careless people are knowing that you can never do chargebacks with bitcoin.

It should suffice. This is what I do too. It's enough unless for some ultimately very unlucky reason the address you're sending the funds to and the hacker's receiving address has the same first and last 5 characters.

I think the length of these addresses and also the case sensitive requirement for Bitcoin addresses are forcing people to use "Copy & Paste" to use their wallets. It is a pity that something cannot be done to shorten the address like with URL shorteners to just post a shorter description for your wallet when you have to use it. <That description can be linked to your longer address to make it easier for you to remember it too.>

So you configure that on your own and link it to your address and when you type it, it converts the wallet description to your Bitcoin address. <This can be done on the users computer and also encrypted to protect it from hackers>

So no need for developers to add this to the Bitcoin code <Protocol> Obviously people will still have to double check the end result.  ;) 

There's more to it than that: when I receive a PM with a payment address, I first have to make absolutely sure it came from the real account. With email, most people don't use encryption. That makes it even more difficult to be absolutely sure the sender is who he says he is.

There used to be a site for this, but it was discontinued (and I forgot the name). But the most unique thing about Bitcoin is being able to make payments without having to rely on third parties, and I wouldn't want to trust them for giving me the correct address.
Google's first result on a search shows a site which Google says may be hacked:
http://loyce.club/other/thissitemaybehacked.png

I see many problems with this, but not a single way to do it absolutely safe.

And even if you would make a safe implementation, you'll lose error correction. Currently, there's a 1 in 4 billion chance of making a typo in a Bitcoin address, that still leads to a valid address. If you shorten the error correction, mistakes become much more likely.

That defeats the purpose ;)

..aaaaand not only that! Personally, even though I'm already certain that the bitcoin address came from the legitimate person, I always ask the person to verify the pasted address! Like so:

Tradee: my address is bc1jf5jxxxxxxxxxxxx
Me: bc1jf5jxxxxxxxxxxxx
Me: ?
Tradee: bc1jf5jxxxxxxxxxxxx

And I even do that even with transactions as low as $20. You can never be so sure.

I don't understand you're doing trades by phone? The vendors spell their adresses letter by letter?
If I'm right. Why not using emails instead? If your sender use URIs you just need to click on the link, you don't even need to do a copy/paste manipulation, like bitcoin:bc1jf5jxxxxxxxxxxxxxxxxxx

Chat logs, he asks the person to confirm the address so he can make it a bit safer.
If the other party just copy-paste the adress he will probably not notice the change.

Now, if you ask him again, he will have more chances to see that what he copied isn't what he pasted.
Plus, due to the dialogue he can protect himself better in case of a dispute. Not bulletproof of course as the other user could simply not pay attention both times but it's better than nothing.

And no, I don't know a single person that dictates addresses by phone :P

Sry that i have seen the thread so late and only now !

I have written and Thread over an year ago about this here for copy and paste https://bitcointalk.org/index.php?topic=4601535.msg41533052#msg41533052

Sadly to see that it happens already to somebody .

The copy+c and copy+v about btc adresses is i guess normal for the most but you should think about and always watching what you are install .

Thank you for this thread but a good way to fight clipboard hijackers is to encourage the use of BIP21 URI scheme instead of raw bitcoin addresses bitcoin:xxxxxxxxxxxxxxxxxxxxxxxxx

I've seen those, but I had a hard time making a payment. I don't like how difficult they make it to just find the address to pay to.

Hey LoyceV,

Personally I think it is very unlikely that few characters are the same. Maybe 2-3, but if you check also the last 2-3, or about 5, that's almost impossible to happen. The attacker would have to ninja-mine vanity addresses for that.

The victims of this attack mostly don't even check the address. I think that even the address type may be different in most cases (legacy/segwit/nested segwit)


I won't change this lol
Never had any problem with windows... and I use computer at lot at work, where I can change my OS =D

I think people bash windows too much, if you have safe online habits and take basic precautions, you are fine...
Certainly I need to learn more about Linux

It's not a lot of work. This is what I do for long time now.
I've got used to it long ago, when the payments for this campaign were sent to Bitsler account. They had at the withdrawal this rule somewhat enforced. It helped me get used to do it.
Now I check the first 3-4 characters, last 3-4 characters and some 3-4 characters from a random position in the middle (I "scan" to find something easy to remember).


Unfortunately I don't have a choice for getting rid of Windows, although maybe a VM with a Linux for crypto handling could not be such a bad idea.
Just I fear that since I don't know much of Linux I may make even bigger mistake...

I've read an article on this just last year and a lot of discussions have been created about this malware, and still going on right now because there are new investors coming in and newbies do not know the existence of this malware.
The only way to combat this is awareness and education if you are going to invite people to invest, it's part of recruiting that you educate them and inform then about the existence of these kinds of malware, and precautions to take when sending and trading.

That's correct. And in the way I was "convinced" to do a real check on the recipient address, the wallets should do the same. It's not hard to make a window pop up and ask for double check start, middle and end. And the more advanced users can deactivate it.

Thanks for the tips, the part with using "copy" "paste" for a part of the address and typing the rest is pretty useful, I think this can be used for passwords too for extra security.

Now since this kind of malware is out there (that can change the address copied to clipboard) I wonder if there is a possibility to exist even a malware that change the address "pasted" right before sending the TX (0.1 sec before you click "SEND" button). This would make checking the address worthless and your coins would vanish, so let's hope not.

Although your use case is highly improbable, there's counter measure for that too.
For example if you use Electrum, instead of pressing Send, you can press Preview and check there. Then Sign and Broadcast. If you go on this path there's no place they can change anything, no matter what.

Changing the OS doesn't necessarily eliminate this risk.
Such malware already has been seen in the wild for MacOS. And they can also easily exist for unix based operating systems.




Without doing the actual math, i am also pretty sure that this is enough to prevent such clipping board malware.

1) It is not possible for the malware to create that much addresses / store that much addresses on the victims computer without being blatantly obvious (if possible at all; i didn't do the actual math but this shouldn't be possible in a relatively short amount of time)
2) I have not seen any non plain-dumb clipping board malware yet (which doesn't mean that it doesn't exist tho).

In addition to NeuroticFish's good suggestion above regarding Electrum, this would also be prevented by using a hardware wallet (and not just for bitcoin, but for all coins). Even if the malware changed your "send to" address just as you clicked "send", you would still have the opportunity to check the address on the hardware wallet's screen, and cancel the transaction if the address was different.

Thanks for the tip, actually I am using Ledger Nano S (with a low amount of BTC), but since I like old school things I am using Bitcoin core wallet just because I trust it more than 3rd party apps, like Ledger's app, Electrum, etc.

Maybe I am just a bit paranoid with this things, sorry :D

Thanks for this wonderful topic @LoyceV! It will be useful for beginners. I have many friends who are victims of this.
I translated this topic into Turkish.

Dikkat: CTRL-C CTRL-V ile Coinlerinizi Nasıl Kaybedersiniz?   (https://bitcointalk.org/index.php?topic=5196316.new#new)

This is actually a good idea.
If this is allowed and of course, @LoyceV is OK with it, I can translate it too for the Romanian sub-forum.

Translating any topic is okay, as long as you give credits to the original post. So go ahead :)

Of course, thanks for your efforts.

I have encountered this case! I copied the address of a friend and pasted it into the deposit address. However, I have observed and found it unusual. I feel fortunate to have observed it! I tried to copy several times and it only shows someone's address. I took the computer to the store and ran the window software again. There was a lot of data lost

Although slightly off-topic here, you made 2 mistakes that could have been prevented:
1. You didn't make backups.
2. You shouldn't trust anyone else with your data.

With enough care, this type of clipboard malware can be prevented. However, I am more concerned with the next type of malware that will change the address in the browser (source). For example, if you want deposit bitcoin to an exchange, the malware could change the address that the browser shows you to the attackers address. I don't think it is too difficult to create a chrome extension that does this (disguised under something else of course). You can compare the addresses (source and destination) and you will see no difference. How do you fight such an attack?

For some reason, I almost always do this. Do a preview... invariably because I'm trying to adjust the fee all the time or tweaking the transaction to avoid using change or change addresses if my goal is to send everything.

That's another reason to always use the preview then before broadcasting. While you're at it, the more paranoid could use multi-sig with another computer / mobile device that also has Electrum, although that's more work to do.

I've only been infected once in my life (ok, a few times) but all those times can be attributed to carelessness.

Knowing that vanitygen / vanitysearch takes a long time with 5 or more character prefixes / suffixes, I find that checking BOTH the first 5 and last 5 are usually good enough. If some hacker / malware got on your system without you knowing and matched the first 5 and last 5 of the address you wanted to use, they must have targeted you specifically to generate that kind of address. Check your house and work place, they already bugged everything.

If that's possible in a browser, I'd expect it to be exploited for banks first: there's much more money to get and they have much more users.

It's an interesting thought. Certainly we know that people will download any old browser extension or mobile app without so much as a second thought, let alone actually spend time reviewing the code. We've seen people lose bitcoins due to downloading apps which give them a sparkly background or a new font on their keyboard, for crying out loud. The best defence against such a hypothetical attack is prevention; there are a grand total of less than 10 good browser add ons. Anything else is not only unnecessary but also introduces unnecessary risk.

The vast majority of online banking payments are made through a secure payment processor, whereas the vast majority of online bitcoin payments are made through copying and pasting an address. It would be much easier to change the later than the former.

Right before opening this thread the first thing that came to my mind after reading the title is because of clipboard hijacking. This victim didn't double check the wallet address that he pasted and hit send right after. I think it is a lesson learn for the victim and also a loss of his bitcoin.

I'm one of those types that don't use any add ons. Just the bare bones browser. Just two actually, the Tor browser (which is based on Firefox) and plain Firefox. I even go into the settings and disable a bunch of different things, don't save any history, don't save anything, and rearrange the icons to somewhat resemble some classic look.

I got Firefox Focus on my android devices. Kinda a hassle since it doesn't remember anything after closing it, but good for taking a quick look at different sites or just finding out the answers to a couple of simple questions.

And yeah, default search engine is the duck, I delete everything else.


A lot go through so called bitcoin payment processors (bitpay / btcpay / clones), but that's still correct, you have to copy and paste to those addresses.

I use a handful of add-ons, but they are all directed at doing what you are doing: Increasing privacy and security whilst decreasing tracking. Even if you are aiming for the "bare-bones", I would still recommend uBlock Origin, HTTPS Everywhere and Privacy Badger.

I'd be interested to know which settings you are changing in Firefox or Tor? Do you just mean the ones under Tools -> Settings, or anything more advanced? I have quite a list of things I change in about:config whenever I am installing/reinstalling Firefox or Tor, everything from limiting the Referer header to refusing/auto-deleting cookies, and I'm always on the lookout for any more changes I could be making.

I also use DDG as my default search engine, and occasionally searX if DDG isn't finding what I want. Startpage used to be good too, but was recently bought out by a company which tracks you to serve you targeted ads, so is now just a privacy-invading as Google.

Don't forget to add the WebRTC which can block your chat, voice, and video from monitoring and always use the private browsing of Firefox as it gives you more protection it can remove all traces of your browsing activity and it can protect you from keyloggers and block websites from tracking your PC.

If you completely have these tools in your browser you have 99% secured and no leaks for your privacy it is likely you are browsing anonymously except for IP.

Yup, already disabled. Thanks.

Although I auto-delete most cookies and history, removing all traces of browsing activity isn't high on my priority list since I use whole disk encryption, and no one else has access to my computer. I'm not sure private browsing will protect you from key loggers though.

I only ever connect via VPN +/- Tor, so no IP concerns there. This set up doesn't make you anonymous, though. By changing all these things I'm very aware that I have a probably unique browser fingerprint. You have to go to extra steps to spoof what you can to blend back in to the crowd.

Those article for old version on windows 10

I Try to Guide how to disable it on Windows 10 1903 Version

Settings >> Privacy

Inking & Typing Personalization
https://i.ibb.co/FKsD1s6/1.png


Diagnostics & feedback
https://i.ibb.co/j5S0tKw/2.png


Activity history
https://i.ibb.co/54kJhsM/3.png


Setting >> system >> clipboard
Turn off clipboard
https://i.ibb.co/JyssVyw/1.png

When We On a Clipboard, Copied anything will save on clipboard

I'm afraid you are kidding yourself if you think changing those settings does anything at all to protect your privacy.

Have a look at the other articles I linked to in my post which you quoted. Even with all these settings turned off, even with telemetry, Cortana, monitoring, diagnostics, etc., turned off in services.msc and in gpedit.msc, even after installing third party tools designed to block these features, Windows 10 still monitors what you do and sends it back to Microsoft thousands of times a day. Sure, if you turn off "Typing Personalization", then your predictive suggestions might not be as relevant, but Windows will still be recording and sending back your keystrokes. They are still using your data, just not in a way you can see.

It's like when you turn off Location History in Google. Google still have a complete record of your entire location history, it's just that you can't see it anymore. It's an illusion of privacy, nothing more.

Your statement aware me, for example, when I copied my private key or seed into electrum they will be recorded and sent to the company.
I am confusing to know how they record my data when I use a hardware wallet?.

They can't. With a hardware wallet, your private keys do not leave the hardware wallet. Any transactions you make are generated on your computer, sent to your hardware wallet to be signed by the private key(s), and then the signed version returned to your computer to be broadcast. The whole point of a hardware wallet is that you can use it safely on any computer, even one infected with malware, without risk of losing your coins (provided you double check the addresses and amounts you have entered are correct).

The solution to this problem is really to avoid getting infected with malware. If your computer is infected with malware, and you are interacting with your coin, your coin is likely gone. Once you discover that your computer is infected, you should stop interacting with your coin via that computer and also stop using that computer.

Some malware can change what is displayed on your computer. So if you paste/type a certain address, that address may be displayed on your screen, but the address transmitted to any website you are on would be changed. Even if you are taken to a second conformation page, the website may transmit the address that the malware changed to but your computer would display the original address that was on your screen. The same would apply if you received a confirmation email and read the email on the same computer that is infected.

Few people are going to willingly access their coins on a computer that they know is infected with malware. The idea is protect yourself against potential malware that you don't know you are infected with, and that's why hardware wallets are such a big improvement over software wallets as I said above. Even in the case of clipboard malware or malware which changes the address you are sending to a website as you describe, it can't change the address on the screen of your hardware wallet. As long as you double check the screen of your hardware wallet against the screen of your computer as described in this thread, then you won't lose your coins.

I have another suggestion which I already posted here (https://bitcointalk.org/index.php?topic=5210015.msg53361876#msg53361876):
KeePass is password manager but it's really helpful when it comes to save bitcoin addresses.
I made a simple setup just to test it and it works fine. see the pics below.
You can modify pretty much everything, and you can have it on a USB drive as well (there is a portable version).

What you do is just save as many keys as you want, then open a website or select a place where you want to type your key and go back to KeePass, right click the key you wnat and just click "AutoType". The address will be automatically written. No copy -paste.

The KeyPass is password protected, free, open-source and one of the top password managers. But if you don't trust a single password break point protection it's perfect for storing crypto addresses.
There are browser add-ons as well.
https://i.imgur.com/zudkL5p.png
You can choose what to type, how to type and where to type it.
https://i.imgur.com/JptIhjq.png

Some time ago I once gave tips (in my local language) to reduce the use of the CTRL C & CTRL-V shortcut, especially in copying sensitive data and when connected to the internet.

https://i.imgur.com/7cHQB56.gif ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Select> drag> drop (https://bitcointalk.org/index.php?topic=5115531.msg50014582#msg50014582). This gif picture might represent it as my explanation. This method doesn't save anything to the clipboard at all. (I've not tried it on Linux).

https://i.imgur.com/fzrG0gx.gif Edit: Image doesn't appear, click here instead. (https://i.imgur.com/uZzf6Tx.gif) ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀

Splitting to several parts (https://bitcointalk.org/index.php?topic=5033133.msg50890236#msg50890236). AFAIK, the clipboard hijacker will read the length of the chars/strings stored in the clipboard with several other parameters to find out the type of copied wallet address. You can split it into as many parts as you want and paste it randomly. That way, the virus won't read that it's the wallet's address.

Although these methods takes a little time, at least now I don't really think about it and it has become my habit unconsciously. I just thought, it's better to waste a little time than to be fast but in the end I've to return from the beginning if I lost my assets.

The drag and drop method might be more practical.

The splitting stuff in the clipboard, ... you're doing that if you're suspecting you have malware. If you suspect you have malware, do that to confirm that you do have some sort of malware (or use a fake address to see if it changes when you paste it), but then stop using that computer until you have cleaned the malware (or otherwise nuked and reformatted and reinstalled a clean OS.)

Always check first and last letter/number + if there space in between. Easy, thank me

If you read the previous replies in this thread, you'll understand that that's not enough to guarantee the safety of your coins. Advanced clipboard malware will have many addresses it can use to override your copied address, and will pick one as similar as possible, potentially with the same first and last character or even few characters. Only checking the start and end still leaves you open to attack.

The only way to be totally safe is to check the entire address. It takes less than 10 seconds to do so. Why take the risk?

You don't even need to check the entire address. No malware in existence will match the first 5 AND the last 5 characters of an address. If any malware has it's own key generation algo or use a predefined list, it most likely will be the first few characters only.

Understanding how VanityGen or VanitySearch (or any other Vanity address generator) works, you'll know why.

When you're dealing with a significant amount, you will tend to look at the entire address anyway.

I was not familiar with this method of dragging an address. But after trying it, I realized that it is more convenient than doing a comparison of your address. I consider the second method less convenient. But in any case, you still need to check the entire address before sending.

I thought I would leave my personal story and some advice that will save someone from what happened to me.

Never ever cut and paste. I did this with a wallet.dat file once since I wanted to move it before copying. I can't remember exactly what happened but I ended up pasting it over itself and when I tried it, it never worked. I tried to delete it and get it from the recycle bin but it still didn't work. I lost 0.09btc worth of alt coins doing that. So for the love of God copy paste for everything you ever do on pc. Cut and past is silly and anything can happen. Like what if the power goes off? Now you have corrupt files like I had.

The next thing that is also related to copy pasting an address is h very careful what you download. I once downloaded an app and it used a QR scanner. The QR scanner changed the address to the thiefs address. So no matter what you scan their address pops up. I used the app from the Google store. I never got my bitcoins I looked and it was sent to the thiefs address. Thankfully I only sent $3 but what if it was more? I often wonder how much money these scammers get. It disgusts me that they do not work for money they sit back and wait and have transactions come in from unexpected victims.

No matter what you do in life check it teic thrice. Hell check it 10 times. Remember all the hours of work to t took you to earn that bitcoin. Taking even 10 whole minutes to make a transaction is better then taking a lose. 10 minutes is nothing compared to the amount of hours you put in.

I also want to thank the op. I thread similar to this helped me be mor vigilant towards copy pasting addresses. Topics like this save people money.

What could solve this types of hacks is by digitally signing the payment request. I recently found that there already is a BIP for this: https://bitcoinj.github.io/payment-protocol. The "magic feature" is at point number 7. This has to be implemented on both ends. So for example if you want to send money to an exchange, the exchange would create a request and sign it. Your wallet would verify the digital signature and allow you to confirm that this is what you want. And this could also work the other way around: if you want do withdraw funds from an exchange, your wallet would create a signed request and send it to the exchange. Then the exchange would verify the signature and only if it is valid it would release the funds. For this to work you would need to create a certificate and upload it to the exchange and also download their certificate and import it into the wallet. A more advanced solution would be to use certification authorities (CA) just like with https certificates but this would be a centralized solution, so I am not sure about that. I think this would be a very powerful feature but I am not aware of any wallet using this. Also this would be a very good proof of payment.

To avoid this kind of happenings, avoid visiting malicious sites that has been blocked by google. There are some advertisements that once you clicked them, they will automatically download something in your device. Once installed, they might take over on that device. You better be careful on the things that you click on the internet.

Don't rely on Google though, they also allow phishing sites to advertise on their search engine.

bump.

https://i.ibb.co/6NHc7rJ/Screen-Shot-2020-04-16-at-9-38-18-PM.png (https://ibb.co/PtcsvFz)

https://twitter.com/ElectrumWallet/status/1250774410115665922

Probably there's a new variant in the wild, so just a friendly reminder to everyone.

Usually I will look closely once the wallet address needs to be sent and compare it at least 5-6 last characters before sending :)). Looking forward to changing someone's habits :)

Honestly, I am very often with Ctrl-C and Ctrl-V when sending bitcoin to exchange or vice versa from exchange to my wallet. I usually make a few small attempts before sending like the points you say (check carefully).
The question is, if we scan a barcode it directly from the exchange can also be changed by malware ?

Quoting from a recent thread....


So there is a chance of a malware changing the QR you are scanning into the hacker's one (the quoted thread is about paperclip malware, in case someone wants some context)

Malicious QR code readers steal a lot of money (https://securityboulevard.com/2020/03/bitcoin-thieves-use-malicious-qr-code-readers-to-steal-45000-this-month/).

Bitpay shows a different code instead of a Bitcoin address. I only use it for small amounts, but because it doesn't even show the actual address, I wouldn't know how to check if I pay the correct addy. From what I understand, this is meant to make it more secure and less prone to error for inexperienced users (but I can't check that).

So the vulmerability can come from:

a)Malware changing the QR code
b)Malware on the code reader (app and/or terminal)
c)all of the above

Copy pasting and the hand-checking the address seems "safer" if that's true....

It is also possible the malware will change what is displayed on your computer. So your computer would display 3_correct_address, however in reality, the malware is actually sending coin to 3_maleware_creator_address. Or malware could not touch anything you input, and simply grab your private keys once you decrypt your wallet, and send all your coin to 3_maleware_creator_address.

Thank you for answering my question. The wallet application that I use has a QR code scanning feature when we want to send bitcoin to an exchange address or to another wallet and so far the address generated by this scanner has not changed even though I have to check it several times before clicking to send.
I didnt use another scanner application to get the bitcoin address because maybe it would be far more dangerous than the original wallet feature.

I hope this will be a good and safe solution for me and others. Thank you LoyceV.

I always double check, triple check and evwn QUAD check. Lol But I never thought about a scammer changing through copy paste! Thanks for the heads up! I will triple, double, quintriple check from here forward!

+1 merit IF I had SENDABLE Merits! Lol

I have never thought of this and I don't think I will do such until I come across your post op, this brings about latest hack information and how to avoid it.  People might have fallen victim of this scam setting, any scam road place there must be safe ways too. Thank you LoyceV for the information. Already seen you bumped and that's straight up.

I had that malware on my laptop once and the first three checked out.

Some sites allow you to only see first part of the address before you copy it. The rest is covered by the "copy" button. Coinbase does it like that as well as many mobile wallets.

I've noticed that it that first 3 and last 3 never match. The malware or at least the one that I had focuses on matching the first 2 or 3 characters and that's it.
It's unable to match both first and last characters so it tries to math as many first characters as it can hoping the victim will not notice.

Matching the first and last 3 characters gives 38 billion combinations (58^6). Times 3 if you add all different address types (starting with 1.., 3.. and bc1q..). That means a 4 TB database is enough to accomplish this. And for 25% chance to find a match, just 1 TB is enough.
Existing malware may not do this yet, but I'm pretty sure it will happen eventually. So you can just as well get used to doing a much more thorough check before sending your coins.

Hilarious topic title :D

Since I first heard about this virus I get used to always check the first and last 3 characters.
Sometimes there is eye catching part in the middle easy to check as well (double or tripple letters, whole word etc.). 

These post has made me to remember my past experience when i was a new into bitcoin payment, without double check the wallet address before sending the fund, that lead me to loose. while hopefully my CTRL-C Picked the addressed without changing effect, mean why, i trust my CTRL-V key to pest without me knowing address change speedily as soon as possible that lead me to double payment.

Since then, I learn my lesson for any given transaction to send fund on a hurry.  

Does Windows 8.1 do that too?

I wouldn't bet against it.

In the end, you'll never know what your OS is doing.
If you want to keep sensitive information private, you'd be better off using a different OS.

My suspicions have been answered, so far when transferring Btc or similar transactions, I have never even been confident with just one click ctrl + c and ctrl + v then I just send it.  Before making a transaction I sometimes even check the link many times at least 3 times before I actually send it.  It turns out that my intuition is very useful to protect me from cases like this.

I wonder how I've not been a victim to this because, I don't. Do non of these things and isn't sure I would be doing that either.  Won't it have been more easier to know the specific malwares to watch out for that effects these change of addresses so as to note and clean them up in one anti- whatever swipe...

Again, comparing addresses is more like you trying it manually over again. Like IASENKO said, considering a few characters isn't enough. Although,  o_e_l_e_o (https://bitcointalk.org/index.php?action=profile;u=1188543) suggestion would be effective since from indications, the changes is down within the time frame between when the address is copied and being pasted. So, a duplicate screen for typing manually instead of mare comparing alone and typing more accurately could be the best form of skepticism. Though, you'll still need to confirm before sending.

Personally, I suggest everyone to use two devices: one for everyday use and one for only special purposes.

For special purposes:
Rule N1 - Use Linux!
Rule N2 - Only visit websites that are 100% secure. For example, if you only use binance, youtube and bitcointalk, visit only these websites and don't move on another one. Don't click on any 3rd party link that's posted on these websites, your browsing history should be only these three websites! This way you are sure that you won't get infected unless there is a problem with these three websites.

In reality, you aren't secured once you are online but it's always better to have two or more devices for special purposes.

Also, consider the OP's advice, always be extra cautious.

I get amazed over and over again when I read post on bitcointalk of means scammers devise to hack people account. I do copy and paste alot and most times do not take note of the address because after checking the the first 5 numbers/letters and they correspond, I go ahead.
Now that I see that I can be hacked in this manner, I would be extra careful.

WOW!!!  Total newbie here.  Thanks for the Win/Droid clipboard heads up!

Do we have a scam alert or threats sub-board?

TIA

Hello, in relation to quote above, i am recently noticed that some bitcoin addresses start with a "1 + meaningful characters  + ... " as if someone customize his address.
How it is possible ? is there any software to do that ? -i am asking for academic purpose!-

kinda. its here:
https://bitcointalk.org/index.php?board=83.0

See:
Vanitygen: Vanity bitcoin address generator/miner [v0.22] (https://bitcointalk.org/index.php?topic=25804.0)
Pretty Addy Giveaway - part 2 (https://bitcointalk.org/index.php?topic=1813624.0)

Note: Checking just the vanity part of the address is not enough to ensure the address is correct. It's always safest to check all characters.

Checking all characters seems like a lot of work to do and one can get a blurred sight along the line but then, looking from the perspective of what is involved, its better to be safe and go through the process than sorry.
It appears the cryptoshpere isn't friendly, lol.

I went to search for this android app " clipper" on playstore. And I see that it's very dangerous to use the app. Android is Risky to use these days. Different kinds of malware.

It's not just android.
It basically is any operating system. Regardless of mobile (android, ios,..) or stationary (windows, linux, macos).

Malware exists for every operating system. It is just that malware for more common systems are more likely to be encountered.
In a targeted attack with malware, it doesn't really matter which OS you are using. You always need to be careful.

If malware has infected, is there any other way to clean it apart from reinstalling the laptop?
Someone asked me about this problem, his laptop was attacked by malware hijacking the clipboard. Every time he copied an ethereum address, it had a different address when pasted.

There's always a way, but you'll never know for sure. I wouldn't risk it.

Use QR addresses. No risk at all and no need to reset your operating system.

Allow me to edit your quote. See for instance fake QR code generators will steal your Bitcoin (https://www.zdnet.com/article/network-of-fake-qr-code-generators-will-steal-your-bitcoin/).

You shouldn't use a compromised system for so many reasons!

Uh, don't use websites to generate QR codes, and always scan them with another app to verify what you just generated.

I downloaded a bar code generator that can make all sorts of codes offline, and I think for Android anyway, there is QR-Droid or QR Droid Private.

When it comes to safety, perhaps the best option is not to consider trying something that might be risky. I have recommended him to reinstall his laptop, while all important data is well secured and the problem is resolved. Sometime, bad habit of browsing the web will bring about security issues and we have to protect ourselves with the right steps.

With any bitcoin or other altcoin address, I think the threshold to minimally inspect it would be the first 5 and last 5 characters. If you can check more characters or even the whole address, then so much better.

I don't think it's going to "scale" all that much even in the future, maybe if you're dealing with bigger amounts, you could look at 6 characters. And of course, for bitcoin I mean don't include the prefix in the count like 1 or 3 or bc1q.

Buying or selling coffee (or equivalent value), inspect first 5 and last 5, save a little time.
Buying or selling a house, inspect first 6 or 7, save a little time, the house is not going anywhere.
Buying or selling a car, check the whole address before it goes vroom vroom, because it's going down the road away from you ... but you probably have all the details you need, just in case, the payment would just be an irritating hassle if it went to the wrong address.

Its actually quite simple to make mistakes when copying, and pasting anyway. If you need to send to multiple different addresses, and you work in a rather large workspace its simply to miss a key, and assume you actually did copy the newly highlighted address, when in reality you haven't, and because you are familiar with the address itself it will likely go unnoticed.

I get your point, that this is probably enough. Since, the chances of an attacker having a nearly identical address is close to none. However, I personally always check each letter/digit. This is just a habit I've developed, since if you are taking the responsibility of being your own bank, you should probably consider the weight of that. Unfortunately,  because of our culture, and the fact we've started to rely on banks for many years now, we've become acquainted with short cuts, and getting other third parties to assure everything is correct. This develops complacency, which I believe is one of the biggest threats to anyone's security, no matter who you are. In fact, its probably more dangerous as you become more confident, and assured with Bitcoin, since that's basically how complacency works. In the beginning you are probably checking every letter/digit, and your heart is pumping the first time you send that transaction, and check it on the Blockchain to make sure it actually was sent correctly. Then, once you develop a confidence, you start checking less, and less as its a time sink.

However, wallets don't have a built in function to protect you from complacency. Well, they kind of do; some will prompt you whether you mean to send it to x address, but as we are human, and are already susceptible to complacency, most will just click okay without actually checking anything.

Sad, just be careful with your downloads and always have a good antimalware software in place!

When paying small amounts, I don't really check anything. I scan the QR-code and pay. But I'm fully aware of the risks.

For larger amounts, I check all characters. That's how I found this Ledger bug:

I don't really get why a house would be different than a car: the house may not go anywhere, but your money will be gone if you lose it because of clipboard malware. And the house won't be yours if that happens.
For any serious amount:

To show the risks of only checking the first characters: all those addresses hold funds:

I did say inspect first AND last. So a total of 10 characters. ... But yes, your example has the first half the same as another.

Clipboard malware that can do that on the fly (or probably communicates with a server to get an address) is too complex or will get caught or something.

If any malware can create an address with only 8 characters different from the original, within the time it takes for a human to do a copy and then a paste, we've got problems.


The house one is more of, if you are selling the house, it would be the buyer's responsibility to make sure you got paid. I think it came about something else concerning confirmations or blocks. I'd give the keys to the house after seeing the transaction, but I'm pretty sure the new owner wouldn't mind if I waited at least 20 minutes for one or two confirmations.

This is yet another reason to invest some bucks in a reliable Hardware wallet which allows us to double check not only on the screen of the computer but also on the screen of the hardware itself, which has been isolated from the internet and its nasty malwares.

At this point, a Trezor or a Ledger should be a must have for any serious Hodler, imo.  ;)

Someone is farming karma without providing links to the source. Many posts here are the copypasta from reddit but I didn't know it works both ways.

Please report this: https://www.reddit.com/r/CryptoCurrency/comments/pcegqx/how_to_lose_your_bitcoins_with_ctrlc_ctrlv/

Wow i didn't know that a simple thing as Ctrl-C/Ctrl-V could potentialy make you loss so many. Thanks for the info though! even though i never experienced getting scammed or hacked that way and I'm using Windows 10 right now makes me keep vigilant.  :o

I once had plagiarism from one of my posts removed from Medium. It's the first time I see it on Reddit.

I tried, but Reddit wants my full name and address. I'm not doxing myself, so I just downvoted and posted a link to my original topic in the comments.

Windows 10 is not without its drawbacks, even I have been exposed to clipboard viruses. The way it works seems to be inserted in an app that I'm trying to download. This virus is trying to check the wallet address of the thief in every activity Ctrl + V. Fortunately I am aware of this, even I have not tried the transaction. I was just trying to see the balance balance through Etherscan and it turned out that it was very different that what I did was the ETH address that the app brought. I've tried to dazzle and remove it. But every time I say that computer will appear and the last way is to install my computer.

This is totally an eye opener to me, I must confess I have not come across or experience anything of this nature, but right now with this post I am completely informed. Thanks OP.
 ??? But I would want to know another thing about this copy/paste.
How come the address shows or have the same first few characters and last few characters, is it that they run some codes that automatically figured out the kind of address that has been copied into the clipboard or it randomly creates it's own address that has the same first and last characters?
Please, I will sincerely need answers. Thanks.

That's easy: vanitygen (https://bitcointalk.org/index.php?topic=25804.0) and a list/database.

I would like to add a tip here to avoid copy-paste errors and clipboard highjack scams. Instead of using CTRL+C and CTRL+V to copy paste the Bitcoin address, do this -

Select the address with mouse, then click-and-drag it to where you want to paste it.

This will act like a regular copy-paste, but no clipboard is involved.

not sure if this will help in the long term , it could be possible that they already found a way to change that also , i'll stick to the first page and keep deleting some numbers and change them by hand

Be careful with this tip. If you drag things from a text file, then (depending on the application) it'll remove^[1] it from the source document after pasting. It's pretty easy to then accidentally save the file (some time later) and lose whatever it was that you copied.

Obviously, it's not advisable to keep important stuff in random text files, and I would never do that, but, erm... I have a friend who does it all the time.

[1] You can prevent this from happening by making sure to hold down the CTRL key before dragging.

Once your OS is compromised, you can't trust anything anymore. Although I haven't seen this happen yet, I can imagine at some point a compromised OS can make your wallet send funds to an address different than the address shown on your screen. A hardware wallet prevents this, assuming you thoroughly check the address on your hardware wallet before sending funds.

We are currently talking about this issue in the Spanish local board (thread (https://bitcointalk.org/index.php?topic=5405742.msg60575708#msg60575708)). A user was recently infected by a keylogger he installed which came within a KMSPico package, and he lost some funds because the address was changed in the copy-paste process. The addresses may seem similar if you focus on the first or last characters only, as you said, so beware!

I'm sure you meant this way (https://bitcointalk.org/index.php?topic=5190776.msg53529548#msg53529548), and yes I did too. But as a fact it doesn't support in some apps including notepad and some web pages.

As long as you can confirm your own actions (provided you also understand wallet security) and have proven up to this point that nothing happened, then go ahead. It's meant only to show your habits, not to recommend others.

The scammers haven't caught me yet, but I'm glad that I learned about this kind of scam and how to deal with it. Your words sound very logical. Everyone should be careful, as careful as possible when it comes to money. Thanks!

Indeed, in the case of using hardware wallets, the problem with the probability of losing bitcoin using ctrl-C / ctrl-V disappears by itself.

But this paragraph doesn't cancel at all:
You still have to visually check every character in the address bar, which can be a little annoying. But that's the price of not making mistakes.

In addition to these manufacturers, there are many other companies on the hardware wallet market, but for some reason, Trezor and Ledger are most often called when recommending a purchase. It seems that this is due to the fact that these companies have been around for a long time and are known, having proven themselves well. Although not devoid of dubious and controversial points. Therefore, I would recommend not discounting devices from other companies.

Thanks for the interesting post and suggestions. I saw the recommendations and you said in #1 "Don't use windows" - Are you saying that if I don't use windows the chances of this copy/paste hack is zero? For example lets say I own a Mac laptop, am I safe from this attack? Thanks.

No operating system is completely safe and no operating system that can not be hacked. Probably what LoyceV means is that the chance of having such malware on Linux is low. Linux is also completely open source.

According to what I have read before, but which I do not know if it is true or not, is that Linux can be more vulnerable to malware. But most people using it are very conscious and know how to avoid malware perfectly.

According to my findings, the chance of having malware is lower on Mac OS than Windows, but they are still both close source operating systems.

If you have the experience of not letting your OS get infected with malware, you can be safe on all OS, but an open source OS would be another thing to consider, unlike close source which you do not know if the OS has some spyware or other vulnerabilities. No one will want Bill Gates or Apple to be spying on their activities on computer.

Correct. Windows has been "the place to be" for malware for decades. Last year (https://atlasvpn.com/blog/over-95-of-all-new-malware-threats-discovered-in-2022-are-aimed-at-windows), 95% of all malware targeted Windows, even though it's market share is only 30% nowadays.

Thinking you're safe would be the biggest mistake. It's a lot safer, but even if it's a lot smaller, there's always a risk. So assume you're not safe, and act accordingly.

This has happened to me, but I'm lucky I didn't lose a few Bitcoins. I tried to eliminate add ons in Chrome settings, even it was gone when my Laptop turned off and turned on again it will always come back. Even in the end I needed to reinstall my windows when I found out this. Luckily I did a double check before sending crypto. Right now I'm still using Chrome, and some anti-virus. My mistake at that time was trying to install some video editor from an unofficial link and using crack. So there are many factors and we have to be meticulous and careful in every step related to the Internet. Even until now I am still looking for the best browser to access the internet.

Tor or Firefox.

There is really no debate to be had here. Chrome is provably awful in every way, from being filled with spyware, to insecurely storing passwords, to phoning home to Google constantly, to being resource hungry, to tracking everything you do, etc., etc. It is the absolute worst browser you can choose, but especially so for anything sensitive such as crypto. And every browser based on Chrome (Edge, Opera, Brave, Vivaldi, etc.) still has plenty of embedded Google spyware which is near impossible to remove.

I'm sure you've discovered it by now, but you should never run pirated software on any system that should remain secure. Even better if you can find an open source alternative for it.

I was flabbergasted years back, when I discovered Chrome "conveniently" uploaded all my stored passwords to Google.

There was a good chance they were in plain text as well:

https://borncity.com/win/2022/06/12/chrome-speichert-passwrter-im-speicher-im-klartext/
https://www.theverge.com/2019/5/21/18634842/google-passwords-plain-text-g-suite-fourteen-years

How about Duckduckgo?

On Tor, the search engine is also Duckduckgo. It is a good browser.

Google has taught me the lesson to never click on 'save password' ever again. I prefer to use forgot password than to save password as the last resort.

On Google devices (running Android OS), even if you are not using Chrome, clicking on save password while you are using another app makes it synchronized on the Google cloud with your Gmail.

That's a search engine, not a browser.
Never mind, it's a browser too nowdays! I learned something new :) But it's a Windows beta (https://duckduckgo.com/windows), so not really useful for the rest of us.

This days search engine and browser are used interchangeably. So as you said, in the present world, the two are one. But from my finding, Duckduckgo is more of search engine and not really a browser. Look at it.
https://www.talkimg.com/images/2023/07/18/Z8Ox1.png
Duckduckgo (https://duckduckgo.com/)

This simple Ctrl-C/Ctrl-V takes up someone's life's earning. If you don't believe me I can even show you screenshots. Some days ago I too was infected with this malware. And the shocking thing was, when I checked it on blockchain explorer, it had total 28k$ incoming balance. Imagine how many people fell a victim to it. So if anything like this happens, do not hesitate to format disk and reinstall OS freshly. Linux is recommend in this case.

And this is probably just one of the many different addresses used by the malware.

Now the scammers are more smart and all tips and tricks given in the OP post not working. I am saying based on my own practice faced 4 months before but I checked this thread today so I am sharing just my experience.

I copied address and paste it in the Metamask receiving address. I checked address and It was displaying same with address I copied. When I clicked on send button I surprised to see that address was fully changed.

I checked it again and this time I copied 5 letter less and added 5 letter manually, when I clicked on sens button, once again the address on approval pop up was changed. anyway I do every possible method to bypass the malware but couldn't work. we should be very careful and I think the best method is to reinstall the operating system so that malware couldn't spread all programs in our system.

Another form of similar attack are malwares and app that reads clipboard and can get your private key once you copy them. It is better to not deal in private key and type your mnemonics using a combination of keyboard and on-screen keyboard. Store the mnemonics writing the words in a notebook.

That's not a clipboard problem, it's something else. Sign offline, or use a hardware wallet if your system is that compromised.
And don't use Metamask ;)

Why not reinstall operating system which will completely deactivate the malware and then not install any unknown program. It will help to use Metamask securely.

BTW I am using mobile phone for transaction and completely give up PC for transaction. I have no open source hardware as My fund is not that much great and also online order issue.