How to lose your Bitcoins with CTRL-C CTRL-V

[nakamura12]

Right before opening this thread the first thing that came to my mind after reading the title is because of clipboard hijacking. This victim didn't double check the wallet address that he pasted and hit send right after. I think it is a lesson learn for the victim and also a loss of his bitcoin.

[1713289652]

1713289652

[Dabs]

there are a grand total of less than 10 good browser add ons. Anything else is not only unnecessary but also introduces unnecessary risk.

I'm one of those types that don't use any add ons. Just the bare bones browser. Just two actually, the Tor browser (which is based on Firefox) and plain Firefox. I even go into the settings and disable a bunch of different things, don't save any history, don't save anything, and rearrange the icons to somewhat resemble some classic look.

I got Firefox Focus on my android devices. Kinda a hassle since it doesn't remember anything after closing it, but good for taking a quick look at different sites or just finding out the answers to a couple of simple questions.

And yeah, default search engine is the duck, I delete everything else.

whereas the vast majority of online bitcoin payments are made through copying and pasting an address. It would be much easier to change the later than the former.

A lot go through so called bitcoin payment processors (bitpay / btcpay / clones), but that's still correct, you have to copy and paste to those addresses.

[o_e_l_e_o]

I'm one of those types that don't use any add ons. Just the bare bones browser. Just two actually, the Tor browser (which is based on Firefox) and plain Firefox. I even go into the settings and disable a bunch of different things, don't save any history, don't save anything, and rearrange the icons to somewhat resemble some classic look.

I use a handful of add-ons, but they are all directed at doing what you are doing: Increasing privacy and security whilst decreasing tracking. Even if you are aiming for the "bare-bones", I would still recommend uBlock Origin, HTTPS Everywhere and Privacy Badger.

I'd be interested to know which settings you are changing in Firefox or Tor? Do you just mean the ones under Tools -> Settings, or anything more advanced? I have quite a list of things I change in about:config whenever I am installing/reinstalling Firefox or Tor, everything from limiting the Referer header to refusing/auto-deleting cookies, and I'm always on the lookout for any more changes I could be making.

I also use DDG as my default search engine, and occasionally searX if DDG isn't finding what I want. Startpage used to be good too, but was recently bought out by a company which tracks you to serve you targeted ads, so is now just a privacy-invading as Google.

[BitMaxz]

I use a handful of add-ons, but they are all directed at doing what you are doing: Increasing privacy and security whilst decreasing tracking. Even if you are aiming for the "bare-bones", I would still recommend uBlock Origin, HTTPS Everywhere and Privacy Badger.

Don't forget to add the WebRTC which can block your chat, voice, and video from monitoring and always use the private browsing of Firefox as it gives you more protection it can remove all traces of your browsing activity and it can protect you from keyloggers and block websites from tracking your PC.

If you completely have these tools in your browser you have 99% secured and no leaks for your privacy it is likely you are browsing anonymously except for IP.

[o_e_l_e_o]

Don't forget to add the WebRTC

Yup, already disabled. Thanks.

always use the private browsing of Firefox as it gives you more protection it can remove all traces of your browsing activity and it can protect you from keyloggers and block websites from tracking your PC.

Although I auto-delete most cookies and history, removing all traces of browsing activity isn't high on my priority list since I use whole disk encryption, and no one else has access to my computer. I'm not sure private browsing will protect you from key loggers though.

it is likely you are browsing anonymously except for IP.

I only ever connect via VPN +/- Tor, so no IP concerns there. This set up doesn't make you anonymous, though. By changing all these things I'm very aware that I have a probably unique browser fingerprint. You have to go to extra steps to spoof what you can to blend back in to the crowd.

[Chikito]

Those article for old version on windows 10

I Try to Guide how to disable it on Windows 10 1903 Version

Settings >> Privacy

Inking & Typing Personalization



Diagnostics & feedback



Activity history



Setting >> system >> clipboard
Turn off clipboard


When We On a Clipboard, Copied anything will save on clipboard

[o_e_l_e_o]

-snip-

I'm afraid you are kidding yourself if you think changing those settings does anything at all to protect your privacy.

Have a look at the other articles I linked to in my post which you quoted. Even with all these settings turned off, even with telemetry, Cortana, monitoring, diagnostics, etc., turned off in services.msc and in gpedit.msc, even after installing third party tools designed to block these features, Windows 10 still monitors what you do and sends it back to Microsoft thousands of times a day. Sure, if you turn off "Typing Personalization", then your predictive suggestions might not be as relevant, but Windows will still be recording and sending back your keystrokes. They are still using your data, just not in a way you can see.

It's like when you turn off Location History in Google. Google still have a complete record of your entire location history, it's just that you can't see it anymore. It's an illusion of privacy, nothing more.

[Chikito]

Your statement aware me, for example, when I copied my private key or seed into electrum they will be recorded and sent to the company.
I am confusing to know how they record my data when I use a hardware wallet?.

[o_e_l_e_o]

I am confusing to know how they record my data when I use a hardware wallet?

They can't. With a hardware wallet, your private keys do not leave the hardware wallet. Any transactions you make are generated on your computer, sent to your hardware wallet to be signed by the private key(s), and then the signed version returned to your computer to be broadcast. The whole point of a hardware wallet is that you can use it safely on any computer, even one infected with malware, without risk of losing your coins (provided you double check the addresses and amounts you have entered are correct).

[PrimeNumber7]

The solution to this problem is really to avoid getting infected with malware. If your computer is infected with malware, and you are interacting with your coin, your coin is likely gone. Once you discover that your computer is infected, you should stop interacting with your coin via that computer and also stop using that computer.

Some malware can change what is displayed on your computer. So if you paste/type a certain address, that address may be displayed on your screen, but the address transmitted to any website you are on would be changed. Even if you are taken to a second conformation page, the website may transmit the address that the malware changed to but your computer would display the original address that was on your screen. The same would apply if you received a confirmation email and read the email on the same computer that is infected.

[o_e_l_e_o]

The solution to this problem is really to avoid getting infected with malware. If your computer is infected with malware, and you are interacting with your coin, your coin is likely gone. Once you discover that your computer is infected, you should stop interacting with your coin via that computer and also stop using that computer.

Few people are going to willingly access their coins on a computer that they know is infected with malware. The idea is protect yourself against potential malware that you don't know you are infected with, and that's why hardware wallets are such a big improvement over software wallets as I said above. Even in the case of clipboard malware or malware which changes the address you are sending to a website as you describe, it can't change the address on the screen of your hardware wallet. As long as you double check the screen of your hardware wallet against the screen of your computer as described in this thread, then you won't lose your coins.

[TheBeardedBaby]

I have another suggestion which I already posted here:
KeePass is password manager but it's really helpful when it comes to save bitcoin addresses.
I made a simple setup just to test it and it works fine. see the pics below.
You can modify pretty much everything, and you can have it on a USB drive as well (there is a portable version).

What you do is just save as many keys as you want, then open a website or select a place where you want to type your key and go back to KeePass, right click the key you wnat and just click "AutoType". The address will be automatically written. No copy -paste.

The KeyPass is password protected, free, open-source and one of the top password managers. But if you don't trust a single password break point protection it's perfect for storing crypto addresses.
There are browser add-ons as well.

You can choose what to type, how to type and where to type it.

[noorman0]

Some time ago I once gave tips (in my local language) to reduce the use of the CTRL C & CTRL-V shortcut, especially in copying sensitive data and when connected to the internet.

⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	Select> drag> drop. This gif picture might represent it as my explanation. This method doesn't save anything to the clipboard at all. (I've not tried it on Linux).
Edit: Image doesn't appear, click here instead. ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀	Splitting to several parts. AFAIK, the clipboard hijacker will read the length of the chars/strings stored in the clipboard with several other parameters to find out the type of copied wallet address. You can split it into as many parts as you want and paste it randomly. That way, the virus won't read that it's the wallet's address.

Although these methods takes a little time, at least now I don't really think about it and it has become my habit unconsciously. I just thought, it's better to waste a little time than to be fast but in the end I've to return from the beginning if I lost my assets.

[Dabs]

The drag and drop method might be more practical.

The splitting stuff in the clipboard, ... you're doing that if you're suspecting you have malware. If you suspect you have malware, do that to confirm that you do have some sort of malware (or use a fake address to see if it changes when you paste it), but then stop using that computer until you have cleaned the malware (or otherwise nuked and reformatted and reinstalled a clean OS.)

[DimitrisLodirogas]

Always check first and last letter/number + if there space in between. Easy, thank me

[o_e_l_e_o]

Always check first and last letter/number + if there space in between. Easy, thank me

If you read the previous replies in this thread, you'll understand that that's not enough to guarantee the safety of your coins. Advanced clipboard malware will have many addresses it can use to override your copied address, and will pick one as similar as possible, potentially with the same first and last character or even few characters. Only checking the start and end still leaves you open to attack.

The only way to be totally safe is to check the entire address. It takes less than 10 seconds to do so. Why take the risk?

[Dabs]

You don't even need to check the entire address. No malware in existence will match the first 5 AND the last 5 characters of an address. If any malware has it's own key generation algo or use a predefined list, it most likely will be the first few characters only.

Understanding how VanityGen or VanitySearch (or any other Vanity address generator) works, you'll know why.

When you're dealing with a significant amount, you will tend to look at the entire address anyway.

[tvplus006]

Some time ago I once gave tips (in my local language) to reduce the use of the CTRL C & CTRL-V shortcut, especially in copying sensitive data and when connected to the internet.
This gif picture might represent it as my explanation. This method doesn't save anything to the clipboard at all.
(I've not tried it on Linux)
AFAIK, the clipboard hijacker will read the length of the chars/strings stored in the clipboard with several other parameters to find out the type of copied wallet address. You can split it into as many parts as you want and paste it randomly. That way, the virus won't read that it's the wallet's address. ...

I was not familiar with this method of dragging an address. But after trying it, I realized that it is more convenient than doing a comparison of your address. I consider the second method less convenient. But in any case, you still need to check the entire address before sending.

[Lauren Smith]

I thought I would leave my personal story and some advice that will save someone from what happened to me.

Never ever cut and paste. I did this with a wallet.dat file once since I wanted to move it before copying. I can't remember exactly what happened but I ended up pasting it over itself and when I tried it, it never worked. I tried to delete it and get it from the recycle bin but it still didn't work. I lost 0.09btc worth of alt coins doing that. So for the love of God copy paste for everything you ever do on pc. Cut and past is silly and anything can happen. Like what if the power goes off? Now you have corrupt files like I had.

The next thing that is also related to copy pasting an address is h very careful what you download. I once downloaded an app and it used a QR scanner. The QR scanner changed the address to the thiefs address. So no matter what you scan their address pops up. I used the app from the Google store. I never got my bitcoins I looked and it was sent to the thiefs address. Thankfully I only sent $3 but what if it was more? I often wonder how much money these scammers get. It disgusts me that they do not work for money they sit back and wait and have transactions come in from unexpected victims.

No matter what you do in life check it teic thrice. Hell check it 10 times. Remember all the hours of work to t took you to earn that bitcoin. Taking even 10 whole minutes to make a transaction is better then taking a lose. 10 minutes is nothing compared to the amount of hours you put in.

I also want to thank the op. I thread similar to this helped me be mor vigilant towards copy pasting addresses. Topics like this save people money.

[Robot1982]

What could solve this types of hacks is by digitally signing the payment request. I recently found that there already is a BIP for this: https://bitcoinj.github.io/payment-protocol. The "magic feature" is at point number 7. This has to be implemented on both ends. So for example if you want to send money to an exchange, the exchange would create a request and sign it. Your wallet would verify the digital signature and allow you to confirm that this is what you want. And this could also work the other way around: if you want do withdraw funds from an exchange, your wallet would create a signed request and send it to the exchange. Then the exchange would verify the signature and only if it is valid it would release the funds. For this to work you would need to create a certificate and upload it to the exchange and also download their certificate and import it into the wallet. A more advanced solution would be to use certification authorities (CA) just like with https certificates but this would be a centralized solution, so I am not sure about that. I think this would be a very powerful feature but I am not aware of any wallet using this. Also this would be a very good proof of payment.