How to lose your Bitcoins with CTRL-C CTRL-V

[shield132]

Personally, I suggest everyone to use two devices: one for everyday use and one for only special purposes.

For special purposes:
Rule N1 - Use Linux!
Rule N2 - Only visit websites that are 100% secure. For example, if you only use binance, youtube and bitcointalk, visit only these websites and don't move on another one. Don't click on any 3rd party link that's posted on these websites, your browsing history should be only these three websites! This way you are sure that you won't get infected unless there is a problem with these three websites.

In reality, you aren't secured once you are online but it's always better to have two or more devices for special purposes.

Also, consider the OP's advice, always be extra cautious.

[Baskeyairdrop]

I get amazed over and over again when I read post on bitcointalk of means scammers devise to hack people account. I do copy and paste alot and most times do not take note of the address because after checking the the first 5 numbers/letters and they correspond, I go ahead.
Now that I see that I can be hacked in this manner, I would be extra careful.

[xsnarferx]

WOW!!!  Total newbie here.  Thanks for the Win/Droid clipboard heads up!

Do we have a scam alert or threats sub-board?

TIA

[10_sjdovn_10]

Even if you check part of the pasted Bitcoin address, chances are the first few characters are the same, and you still won't notice the address was changed.

Hello, in relation to quote above, i am recently noticed that some bitcoin addresses start with a "1 + meaningful characters  + ... " as if someone customize his address.
How it is possible ? is there any software to do that ? -i am asking for academic purpose!-

[vapourminer]

Do we have a scam alert or threats sub-board?

kinda. its here:
https://bitcointalk.org/index.php?board=83.0

[LoyceV]

some bitcoin addresses start with a "1 + meaningful characters  + ... " as if someone customize his address.
How it is possible ? is there any software to do that ? -i am asking for academic purpose!-

See:
Vanitygen: Vanity bitcoin address generator/miner [v0.22]
Pretty Addy Giveaway - part 2

Note: Checking just the vanity part of the address is not enough to ensure the address is correct. It's always safest to check all characters.

[BevNation]

Note: Checking just the vanity part of the address is not enough to ensure the address is correct. It's always safest to check all characters.

Checking all characters seems like a lot of work to do and one can get a blurred sight along the line but then, looking from the perspective of what is involved, its better to be safe and go through the process than sorry.
It appears the cryptoshpere isn't friendly, lol.

[Cryptoababe]

How to prevent this
1. Don't use Windows, but we both know you're not going to change that.

 .
I also found this article : First Android Clipboard Hijacking Crypto Malware Found On Google Play Store.
Android seems vulnerable too and it was found on Google Play Store, it this already found, for sure there are already some android app spreading with this kind of malware.

I went to search for this android app " clipper" on playstore. And I see that it's very dangerous to use the app. Android is Risky to use these days. Different kinds of malware.

[bob123]

I went to search for this android app " clipper" on playstore. And I see that it's very dangerous to use the app. Android is Risky to use these days. Different kinds of malware.

It's not just android.
It basically is any operating system. Regardless of mobile (android, ios,..) or stationary (windows, linux, macos).

Malware exists for every operating system. It is just that malware for more common systems are more likely to be encountered.
In a targeted attack with malware, it doesn't really matter which OS you are using. You always need to be careful.

[ShowOff]

If malware has infected, is there any other way to clean it apart from reinstalling the laptop?
Someone asked me about this problem, his laptop was attacked by malware hijacking the clipboard. Every time he copied an ethereum address, it had a different address when pasted.

[LoyceV]

If malware has infected, is there any other way to clean it apart from reinstalling the laptop?

There's always a way, but you'll never know for sure. I wouldn't risk it.

[mediaBuzz]

Use QR addresses. No risk at all and no need to reset your operating system.

[LoyceV]

Use QR addresses. No risk at all

Allow me to edit your quote. See for instance fake QR code generators will steal your Bitcoin.

no need to reset your operating system.

You shouldn't use a compromised system for so many reasons!

[Dabs]

See for instance fake QR code generators will steal your Bitcoin.

Uh, don't use websites to generate QR codes, and always scan them with another app to verify what you just generated.

I downloaded a bar code generator that can make all sorts of codes offline, and I think for Android anyway, there is QR-Droid or QR Droid Private.

[ShowOff]

When it comes to safety, perhaps the best option is not to consider trying something that might be risky. I have recommended him to reinstall his laptop, while all important data is well secured and the problem is resolved. Sometime, bad habit of browsing the web will bring about security issues and we have to protect ourselves with the right steps.

[Dabs]

With any bitcoin or other altcoin address, I think the threshold to minimally inspect it would be the first 5 and last 5 characters. If you can check more characters or even the whole address, then so much better.

I don't think it's going to "scale" all that much even in the future, maybe if you're dealing with bigger amounts, you could look at 6 characters. And of course, for bitcoin I mean don't include the prefix in the count like 1 or 3 or bc1q.

Buying or selling coffee (or equivalent value), inspect first 5 and last 5, save a little time.
Buying or selling a house, inspect first 6 or 7, save a little time, the house is not going anywhere.
Buying or selling a car, check the whole address before it goes vroom vroom, because it's going down the road away from you ... but you probably have all the details you need, just in case, the payment would just be an irritating hassle if it went to the wrong address.

[Welsh]

Its actually quite simple to make mistakes when copying, and pasting anyway. If you need to send to multiple different addresses, and you work in a rather large workspace its simply to miss a key, and assume you actually did copy the newly highlighted address, when in reality you haven't, and because you are familiar with the address itself it will likely go unnoticed.

With any bitcoin or other altcoin address, I think the threshold to minimally inspect it would be the first 5 and last 5 characters. If you can check more characters or even the whole address, then so much better.

I get your point, that this is probably enough. Since, the chances of an attacker having a nearly identical address is close to none. However, I personally always check each letter/digit. This is just a habit I've developed, since if you are taking the responsibility of being your own bank, you should probably consider the weight of that. Unfortunately,  because of our culture, and the fact we've started to rely on banks for many years now, we've become acquainted with short cuts, and getting other third parties to assure everything is correct. This develops complacency, which I believe is one of the biggest threats to anyone's security, no matter who you are. In fact, its probably more dangerous as you become more confident, and assured with Bitcoin, since that's basically how complacency works. In the beginning you are probably checking every letter/digit, and your heart is pumping the first time you send that transaction, and check it on the Blockchain to make sure it actually was sent correctly. Then, once you develop a confidence, you start checking less, and less as its a time sink.

However, wallets don't have a built in function to protect you from complacency. Well, they kind of do; some will prompt you whether you mean to send it to x address, but as we are human, and are already susceptible to complacency, most will just click okay without actually checking anything.

[xayan123]

Sad, just be careful with your downloads and always have a good antimalware software in place!

[LoyceV]

Buying or selling coffee (or equivalent value), inspect first 5 and last 5, save a little time.

When paying small amounts, I don't really check anything. I scan the QR-code and pay. But I'm fully aware of the risks.

For larger amounts, I check all characters. That's how I found this Ledger bug:

Code:

DMv1UW6d2vXUqNGw7YZyXjPEx959wM2FEN
               ↑

This is what it looks like on the Ledger:

Buying or selling a house, inspect first 6 or 7, save a little time, the house is not going anywhere.
Buying or selling a car, check the whole address before it goes vroom vroom, because it's going down the road away from you ...

I don't really get why a house would be different than a car: the house may not go anywhere, but your money will be gone if you lose it because of clipboard malware. And the house won't be yours if that happens.
For any serious amount:

2. Check the entire address

the chances of an attacker having a nearly identical address is close to none.

To show the risks of only checking the first characters: all those addresses hold funds:

Code:

14Cnk6Qyt9G4WZfsYfVyL1jcnXciNjbvjk
14Cnk6Qyt9G4Wc2qXYH1er2NiK1yPMZfhq
14Cnk6Qyt9G4WcxPgtU91XvVmXyR5V6ePi
14Cnk6Qyt9G4Zf1L3EhzESXMSAPhT1mg4x
14Cnk6Qyt9G4Zf1h7F3akGrxTJ7DGVTfaC
14Cnk6Qyt9G4Zfhv1BdyiQW7Wrdc5BshFv
14Cnk6Qyt9G4Zfhv1CJLAV5ks773XgzbA5
14Cnk6Qyt9G4Zfhv1CJSHNU7eyNHYK2Rv7
14Cnk6Qyt9G4Zfhv1CJSHNUBo9BN2Ju7Gb
14Cnk6Qyt9G4Zfhv1CJSHNUBo9CrhDp2sz

[Dabs]

I did say inspect first AND last. So a total of 10 characters. ... But yes, your example has the first half the same as another.

Clipboard malware that can do that on the fly (or probably communicates with a server to get an address) is too complex or will get caught or something.

If any malware can create an address with only 8 characters different from the original, within the time it takes for a human to do a copy and then a paste, we've got problems.


The house one is more of, if you are selling the house, it would be the buyer's responsibility to make sure you got paid. I think it came about something else concerning confirmations or blocks. I'd give the keys to the house after seeing the transaction, but I'm pretty sure the new owner wouldn't mind if I waited at least 20 minutes for one or two confirmations.