How to lose your Bitcoins with CTRL-C CTRL-V

[LoyceV]

I just saw another victim of clipboard hijacker malware.

How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.
2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.
3. I came up with something else: don't copy the entire Bitcoin address, copy only a part, and manually type the last few characters. Even if the malware exchanges the incomplete Bitcoin address by their own, your wallet won't accept the (invalid) address if you've typed a few more characters by yourself.
You'll still need to follow Step 2 after this: check the address!
4. Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-C. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too!
5. I'll add o_e_l_e_o's suggestion here:

Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, its very easy to check the entire address and not just a few characters at the start or end.

Stay vigilant
Check, double check and tripple check before sending funds!


No spam please
I said please
I'll remove excessive quotes.

[evgenia_volkova]

I was a victim year ago and I would like to add one more think to your post.

If you see that your address are being changed that means your system is affected by the malware. To resolve it permanently please change the hard-disk of your system and install Ubuntu. This is what I was advice to do. And how to be aware is already addressed by OP.

It is better not to download or browser random stuff on the system which you use for trading or storing your funds. Definitely not a good exercise to store funds in desktop wallets but if you have store then be aware.

[Mahanton]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

Now im getting worried with that Windows 10 Cortana and currently been tweaking out its privacy settings.Is this really a keylogger?. So far i havent experienced any clipboard malwares but i do have that behavior on double-triple checking address before sending out  some coins.

Thanks for the reminders and this isnt a spam.  

[AB de Royse777]

Pity that it never happened with me :-P

Well on a serious note, staying a bit careful before downloading or clicking any link solves the problem more that 50% I would say. The rest is coming with the external device like USB sticks we use. If we are not sure about the device status (whether it's clean or not), we should not inject them in our USB port.

I hope it was not spam? :-P

Edit: By the way, how about using a multiSig address? If your device is compromised and the address has changed you can see it once you load the tx file in the other device before final sing and broadcasting.

[GreatArkansas]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

 .
I also found this article : First Android Clipboard Hijacking Crypto Malware Found On Google Play Store.
Android seems vulnerable too and it was found on Google Play Store, it this already found, for sure there are already some android app spreading with this kind of malware.

As stated on the article, most of the android app that has like this kind of malware are those impersonating android app fake android app, just like bitcoin wallet.
Since that is also about cryptocurrency.

To do this, attackers first tricked users into installing the malicious app that impersonated a legitimate cryptocurrency service called MetaMask, claiming to let users run Ethereum decentralized apps in their web browsers without having to run a full Ethereum node

[yazher]

I may post this on my Daily news on our local board. thanks for the info bro. Cause I often use this feature in windows when I'm sending some BTC to my exchanges address. thankfully I double-check the addresses before I send it. therefore every time we send some BTC we don't need to rush for it it is always better to see the address if it is right or else you will get nothing even after a hundred confirmation in the transactions.  

[Theb]

From what I personally notice with the clipboard/copy and paste virus it only gives you a similar address only to the first few characters of your own address sometimes also the last few characters at the end of your address are also similar as well. But if you look at the middle part you will see that there is no similarity at all in fact they are completely different. For people that has known and used their address for a long time now you can immediately spot the differences. I do recommend people trying it out on there Windows pc if they have the clipboard virus by just simply trying to copy/paste the address you have so that you are always aware that your pc is clean from that malware.
 

[TalkStar]

Its really a matter of concern that in every single second these hackers are trying to discover new ways for stealing fund from our wallet. Basically most of us like to complete copy-paste by using our keyboard option and these hackers wisely targeted that area to make users fool. To keep us secure from this kinda keyboard malware sender should be much careful during completing transactions from one address to another.

▪︎ Please double check the receiver address before clicking the final confirmation button.
▪︎ After pasting the address please check similarities between both address part by part. Don't give priority to few first charecters only where its necessary to check middle and last part too.
▪︎ You can take the help of notepad to match both addresses easily.

[dothebeats]

This also happens in Android OS more frequently, I believe, as there are random apps capable of snooping data up to system-level and change some of the configurations and voila! Your Android phone is infected! We also know that there are still a lot of people downloading apps that are not from official releases and from the official Playstore in order to get some cracked APKs for their games, apps etc and that is alarming. I almost became a victim of the clipboard hijack thingy just a couple months back by downloading this file manager from a XDA-Developers post (which has since been removed thankfully).

I also found this article : First Android Clipboard Hijacking Crypto Malware Found On Google Play Store.
Android seems vulnerable too and it was found on Google Play Store, it this already found, for sure there are already some android app spreading with this kind of malware.

Knowing how Google Play checks every app on their store before getting it live, it's really rare for a malware-infected app to get through. This might be the first one recorded, but I'm pretty sure that there are tons existing out there in the wild.

[unsoindovo]

I just saw another victim of clipboard hijacker malware.

How it works
1. You select a Bitcoin address, and press CTRL-C.
2. The malware changes the address to an address owned by the hacker/scammer.
3. You press CTRL-V and lose any funds you send.
Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.
2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.
3. I came up with something else: don't copy the entire Bitcoin address, copy only a part, and manually type the last few characters. Even if the malware exchanges the incomplete Bitcoin address by their own, your wallet won't accept the (invalid) address if you've typed a few more characters by yourself.
You'll still need to follow Step 2 after this: check the address!
4. Use copy/paste to verify part of your address. Suppose you want to send funds to address 1PjpEgknyKxQKXtMcYFDym8odkfohFGkui. After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-V. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address. And make sure the source is authentic: email can be spoofed too!

Stay vigilant
Check, double check and tripple check before sending funds!


No spam please
I said please
I'll remove excessive quotes.

If I can suggest a simple work around to avoid this kind of theft, I can suggest a easy virtual machine installation
I use it for my home banking and Crypto transfers.
An USB, 128gb or more to get acceptable performance
All the address saved in the task bar to avoid fake site found by googling
Linux lubuntu, a lighted and fast version of Linux.
When I need to use home baking or Crypto wallet I use this USB. I called it bank box.
Not sure at 100, but for sure more Than home pc.
If I'm forced to use it from my home pc, I usually check the first and last 3 or for address chars.

[GSpgh]

Does anyone else find the SegWit bech32 (bc1...) addresses harder to verify visually? I don't know if it's the long prefix or the all lowercase format but it's just so unwieldy.

But even since before SegWit I got used to Ctrl-C + Ctrl-F re-verification - it's quick and works well. Speaking of that - I think this is an error:

After copy/pasting, select "yKxQKXtMc" from the pasted address, then press CTRL-V. Then, use CTRL-F followed by CTRL-V to see if the partial address matches the original source of the address.

I think it should be Ctrl-C, then Ctrl-F, then Ctrl-V.

[o_e_l_e_o]

Now im getting worried with that Windows 10 Cortana and currently been tweaking out its privacy settings.Is this really a keylogger?.

Yes. Windows 10 has a built in keylogger, and it sends everything you type to Microsoft for "analysis". See the following links:

https://www.pcworld.com/article/2974057/how-to-turn-off-windows-10s-keylogger-yes-it-still-has-one.html
https://www.technorms.com/45807/turn-windows-10-keylogger-improved-data-privacy
https://www.techadvisor.co.uk/how-to/windows/how-disable-hidden-keylogger-in-windows-10-3639643/

But on a much wider scale, Windows 10 is a privacy nightmare. It collects everything from your keystrokes and voice input to your contacts, emails, browsing history, location history, etc., etc. Turning off all the telemetry and turning all the privacy settings to max doesn't help. Have a read of these reports if you want to be really worried:

https://arstechnica.com/information-technology/2015/08/even-when-told-not-to-windows-10-just-cant-stop-talking-to-microsoft/
https://thehackernews.com/2016/02/microsoft-windows10-privacy.html

Even with these features disabled via group policies, Cortana is still sending your search history to Microsoft, and OneDrive is phoning home for unknown reasons, for example. Even with all telemetry features disabled, Windows 10 still made a staggering 5,500 connections to almost 100 different IP address in only 8 hours.

As LoyceV says, don't use Windows.


Any time I am sending coins from any wallet I physically place the address I know is correct directly from the source, right next to the address I have entered to send to. That usually means either holding my hardware wallet or phone up next to my computer screen, or resizing two windows on my phone or computer to put the two address physically right next to each other. Once you have two addresses which are less than inch apart, its very easy to check the entire address and not just a few characters at the start or end.

[masulum]

I think it should be Ctrl-C, then Ctrl-F, then Ctrl-V.

Nothing wrong with that tutorial, Why CTRL+V, then CTRL+F, then CTRL-V, After you have copied wallet address, you need to paste clipboard. It means we need the first CTRL+V, After we are pasted wallet address, we need to check wallet address from clipboard results, then we need CTRL+F.  The last CTRL+V is for a paste wallet address on the search form.

So, for complete process is CTRL+C > CTRL+V > CTRL+F > CTRL+V, like LoyceV says.

[prix]

If I can suggest a simple work around to avoid this kind of theft, I can suggest a easy virtual machine installation
I use it for my home banking and Crypto transfers.
An USB, 128gb or more to get acceptable performance
All the address saved in the task bar to avoid fake site found by googling
Linux lubuntu, a lighted and fast version of Linux.
When I need to use home baking or Crypto wallet I use this USB. I called it bank box.
Not sure at 100, but for sure more Than home pc.
If I'm forced to use it from my home pc, I usually check the first and last 3 or for address chars.

I also used a virtual machine for some time and it was with lubuntu too.
But still, this method, although safer, also has drawbacks if a trojan settles on the main computer.
Therefore, over time, I moved to an old dedicated laptop.

I hope did you turn off access to the host clipboard in the guest isolation settings?

I also think that 3+3 characters is not enough. It is possible to do hijacker that will pick up a larger number of characters.

[unsoindovo]

If I can suggest a simple work around to avoid this kind of theft, I can suggest a easy virtual machine installation
I use it for my home banking and Crypto transfers.
An USB, 128gb or more to get acceptable performance
All the address saved in the task bar to avoid fake site found by googling
Linux lubuntu, a lighted and fast version of Linux.
When I need to use home baking or Crypto wallet I use this USB. I called it bank box.
Not sure at 100, but for sure more Than home pc.
If I'm forced to use it from my home pc, I usually check the first and last 3 or for address chars.

I also used a virtual machine for some time and it was with lubuntu too.
But still, this method, although safer, also has drawbacks if a trojan settles on the main computer.
Therefore, over time, I moved to an old dedicated laptop.

I hope did you turn off access to the host clipboard in the guest isolation settings?

I also think that 3+3 characters is not enough. It is possible to do hijacker that will pick up a larger number of characters.

OK for the keyboard host settings.
But I think vm remain one of the most secure and safe behavior against theft.
But this is true, if you just use this virtual machine for that task.
Never navigate on internet fron bank box, neve read email from there.
Do just bank/Crypto transfert from saved Link.

[GSpgh]

I think it should be Ctrl-C, then Ctrl-F, then Ctrl-V.

Nothing wrong with that tutorial, Why CTRL+V, then CTRL+F, then CTRL-V, After you have copied wallet address, you need to paste clipboard. It means we need the first CTRL+V, After we are pasted wallet address, we need to check wallet address from clipboard results, then we need CTRL+F.  The last CTRL+V is for a paste wallet address on the search form.

So, for complete process is CTRL+C > CTRL+V > CTRL+F > CTRL+V, like LoyceV says.

No, the post says to select a part of the pasted address, I assume to avoid triggering the clipboard malware. It wouldn't make sense to do Ctrl-V immediately after selecting a piece of text. Anyway, it's been fixed so not an issue anymore.

Your method works too but only if malware doesn't do reverse substitution.

[robelneo]

I become aware of that two years ago it was big news back then, that was one of the reasons I add another anti-malware on my computer I also develop a habit where I will wait 30 seconds before sending the funds I will look on the first three character and the last three character to make sure I'm sending to the right address, if you're aware on something like this you will develop a precautionary measure so that it will not happen to you.

[stompix]

Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.
And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.

[TheBeardedBaby]

Isn't it enough to check just the fist 4-5 and last 4-5 characters? This is what I do every time, if the first and last match I don't think I'm in danger.  If they manage to generate address similar to the address you are paying to with the first few characters, checking the last ones should make it super save, am I wrong?

[LoyceV]

Was wondering the same, how many checked characters would make the process safe?
I read that vanity gen is able to do 50mils keys per second, let's keep this number, multiply by 10 seconds and at this point, I still believe checking the first and last 4-5 characters is enough.

I can imagine malware that connects to an external server, which stores a large database of pre-created addresses.

And without having a clue I doubt the malware would store billions of addresses in text files and filling up the HDD with those.

There's also malware that monitors 2.3 million Bitcoin addresses: thanks to the public blockchain it's easy to create a list of all addresses that are worth stealing, and include a couple million similar addresses in the malware.

Isn't it enough to check just the fist 4-5 and last 4-5 characters?

It's probably enough, but I prefer a higher degree of certainty than just "probably".