How to lose your Bitcoins with CTRL-C CTRL-V

[LoyceV]

encourage the use of BIP21 URI scheme instead of raw bitcoin addresses bitcoin:xxxxxxxxxxxxxxxxxxxxxxxxx

I've seen those, but I had a hard time making a payment. I don't like how difficult they make it to just find the address to pay to.

[1713923929]

1713923929

[1713923929]

1713923929

[bitmover]

Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

Hey LoyceV,

Personally I think it is very unlikely that few characters are the same. Maybe 2-3, but if you check also the last 2-3, or about 5, that's almost impossible to happen. The attacker would have to ninja-mine vanity addresses for that.

The victims of this attack mostly don't even check the address. I think that even the address type may be different in most cases (legacy/segwit/nested segwit)

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

I won't change this lol
Never had any problem with windows... and I use computer at lot at work, where I can change my OS =D

I think people bash windows too much, if you have safe online habits and take basic precautions, you are fine...
Certainly I need to learn more about Linux

[NeuroticFish]

2. Check the entire address after copy/pasting, and not just the first few (or last few) characters. Check some in the middle too. That's a lot of work, so chances are you won't do that either.

It's not a lot of work. This is what I do for long time now.
I've got used to it long ago, when the payments for this campaign were sent to Bitsler account. They had at the withdrawal this rule somewhat enforced. It helped me get used to do it.
Now I check the first 3-4 characters, last 3-4 characters and some 3-4 characters from a random position in the middle (I "scan" to find something easy to remember).


Unfortunately I don't have a choice for getting rid of Windows, although maybe a VM with a Linux for crypto handling could not be such a bad idea.
Just I fear that since I don't know much of Linux I may make even bigger mistake...

[coin-investor]

I've read an article on this just last year and a lot of discussions have been created about this malware, and still going on right now because there are new investors coming in and newbies do not know the existence of this malware.
The only way to combat this is awareness and education if you are going to invite people to invest, it's part of recruiting that you educate them and inform then about the existence of these kinds of malware, and precautions to take when sending and trading.

[NeuroticFish]

I've read an article on this just last year and a lot of discussions have been created about this malware, and still going on right now because there are new investors coming in and newbies do not know the existence of this malware.
The only way to combat this is awareness and education if you are going to invite people to invest, it's part of recruiting that you educate them and inform then about the existence of these kinds of malware, and precautions to take when sending and trading.

That's correct. And in the way I was "convinced" to do a real check on the recipient address, the wallets should do the same. It's not hard to make a window pop up and ask for double check start, middle and end. And the more advanced users can deactivate it.

[Laskoo]

Thanks for the tips, the part with using "copy" "paste" for a part of the address and typing the rest is pretty useful, I think this can be used for passwords too for extra security.

Now since this kind of malware is out there (that can change the address copied to clipboard) I wonder if there is a possibility to exist even a malware that change the address "pasted" right before sending the TX (0.1 sec before you click "SEND" button). This would make checking the address worthless and your coins would vanish, so let's hope not.

[NeuroticFish]

Now since this kind of malware is out there (that can change the address copied to clipboard) I wonder if there is a possibility to exist even a malware that change the address "pasted" right before sending the TX (0.1 sec before you click "SEND" button). This would make checking the address worthless and your coins would vanish, so let's hope not.

Although your use case is highly improbable, there's counter measure for that too.
For example if you use Electrum, instead of pressing Send, you can press Preview and check there. Then Sign and Broadcast. If you go on this path there's no place they can change anything, no matter what.

[bob123]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

Changing the OS doesn't necessarily eliminate this risk.
Such malware already has been seen in the wild for MacOS. And they can also easily exist for unix based operating systems.

I still believe checking the first and last 4-5 characters is enough.

Without doing the actual math, i am also pretty sure that this is enough to prevent such clipping board malware.

1) It is not possible for the malware to create that much addresses / store that much addresses on the victims computer without being blatantly obvious (if possible at all; i didn't do the actual math but this shouldn't be possible in a relatively short amount of time)
2) I have not seen any non plain-dumb clipping board malware yet (which doesn't mean that it doesn't exist tho).

[o_e_l_e_o]

I wonder if there is a possibility to exist even a malware that change the address "pasted" right before sending the TX (0.1 sec before you click "SEND" button).

In addition to NeuroticFish's good suggestion above regarding Electrum, this would also be prevented by using a hardware wallet (and not just for bitcoin, but for all coins). Even if the malware changed your "send to" address just as you clicked "send", you would still have the opportunity to check the address on the hardware wallet's screen, and cancel the transaction if the address was different.

[Laskoo]

I wonder if there is a possibility to exist even a malware that change the address "pasted" right before sending the TX (0.1 sec before you click "SEND" button).

In addition to NeuroticFish's good suggestion above regarding Electrum, this would also be prevented by using a hardware wallet (and not just for bitcoin, but for all coins). Even if the malware changed your "send to" address just as you clicked "send", you would still have the opportunity to check the address on the hardware wallet's screen, and cancel the transaction if the address was different.

Thanks for the tip, actually I am using Ledger Nano S (with a low amount of BTC), but since I like old school things I am using Bitcoin core wallet just because I trust it more than 3rd party apps, like Ledger's app, Electrum, etc.

Maybe I am just a bit paranoid with this things, sorry

[El-Cezeri]

Thanks for this wonderful topic @LoyceV! It will be useful for beginners. I have many friends who are victims of this.
I translated this topic into Turkish.

Dikkat: CTRL-C CTRL-V ile Coinlerinizi Nasıl Kaybedersiniz? 

[Laskoo]

Thanks for this wonderful topic @LoyceV! It will be useful for beginners. I have many friends who are victims of this.
I translated this topic into Turkish.

Dikkat: CTRL-C CTRL-V ile Coinlerinizi Nasıl Kaybedersiniz? 

This is actually a good idea.
If this is allowed and of course, @LoyceV is OK with it, I can translate it too for the Romanian sub-forum.

[LoyceV]

I can translate it too for the Romanian sub-forum.

Translating any topic is okay, as long as you give credits to the original post. So go ahead

[El-Cezeri]

I can translate it too for the Romanian sub-forum.

Translating any topic is okay, as long as you give credits to the original post. So go ahead

Of course, thanks for your efforts.

[loan.ruiu1]

I have encountered this case! I copied the address of a friend and pasted it into the deposit address. However, I have observed and found it unusual. I feel fortunate to have observed it! I tried to copy several times and it only shows someone's address. I took the computer to the store and ran the window software again. There was a lot of data lost

[LoyceV]

I took the computer to the store and ran the window software again. There was a lot of data lost

Although slightly off-topic here, you made 2 mistakes that could have been prevented:
1. You didn't make backups.
2. You shouldn't trust anyone else with your data.

[Robot1982]

With enough care, this type of clipboard malware can be prevented. However, I am more concerned with the next type of malware that will change the address in the browser (source). For example, if you want deposit bitcoin to an exchange, the malware could change the address that the browser shows you to the attackers address. I don't think it is too difficult to create a chrome extension that does this (disguised under something else of course). You can compare the addresses (source and destination) and you will see no difference. How do you fight such an attack?

[Dabs]

Although your use case is highly improbable, there's counter measure for that too.
For example if you use Electrum, instead of pressing Send, you can press Preview and check there. Then Sign and Broadcast. If you go on this path there's no place they can change anything, no matter what.

For some reason, I almost always do this. Do a preview... invariably because I'm trying to adjust the fee all the time or tweaking the transaction to avoid using change or change addresses if my goal is to send everything.

That's another reason to always use the preview then before broadcasting. While you're at it, the more paranoid could use multi-sig with another computer / mobile device that also has Electrum, although that's more work to do.

I've only been infected once in my life (ok, a few times) but all those times can be attributed to carelessness.

Knowing that vanitygen / vanitysearch takes a long time with 5 or more character prefixes / suffixes, I find that checking BOTH the first 5 and last 5 are usually good enough. If some hacker / malware got on your system without you knowing and matched the first 5 and last 5 of the address you wanted to use, they must have targeted you specifically to generate that kind of address. Check your house and work place, they already bugged everything.

[LoyceV]

With enough care, this type of clipboard malware can be prevented. However, I am more concerned with the next type of malware that will change the address in the browser (source). For example, if you want deposit bitcoin to an exchange, the malware could change the address that the browser shows you to the attackers address. I don't think it is too difficult to create a chrome extension that does this (disguised under something else of course). You can compare the addresses (source and destination) and you will see no difference. How do you fight such an attack?

If that's possible in a browser, I'd expect it to be exploited for banks first: there's much more money to get and they have much more users.

[o_e_l_e_o]

I don't think it is too difficult to create a chrome extension that does this (disguised under something else of course).

It's an interesting thought. Certainly we know that people will download any old browser extension or mobile app without so much as a second thought, let alone actually spend time reviewing the code. We've seen people lose bitcoins due to downloading apps which give them a sparkly background or a new font on their keyboard, for crying out loud. The best defence against such a hypothetical attack is prevention; there are a grand total of less than 10 good browser add ons. Anything else is not only unnecessary but also introduces unnecessary risk.

If that's possible in a browser, I'd expect it to be exploited for banks first: there's much more money to get and they have much more users.

The vast majority of online banking payments are made through a secure payment processor, whereas the vast majority of online bitcoin payments are made through copying and pasting an address. It would be much easier to change the later than the former.