PSA: Bitcoin Address Clipboard Malware

[MisterBitconio]

I'm not sure if this is the correct place to put this (and apologies if this is old news), but I thought I'd share this so as to encourage anyone reading this to take the necessary safety measures when sending bitcoin.

A friend of mine recently encountered a malware, which, upon copying a bitcoin address to your clipboard (with the purpose of pasting it in a wallet to issue a transaction) overrides that address and replaces it with the attacker's own bitcoin address. This is all done quietly, and the malware was not detected by the common antivirus software.

Not to mention, if you are a person who uses VPS servers or connects to servers using Remote Desktop Connection or some other remote control software, this malware seems to be able to "go through" that software.
Ex: If the VPS is infected and you have it opened using your RDC client, copying an address on your main machine will still allow the malware to change your clipboard (because of how RDC/RDP work).

Always double check the first and last few letters of the bitcoin address you are sending money to, even if you just copy pasted it.

[Ucy]

I'm not sure if this is new. I think I have seen it discussed before on the forum. Maybe it's not dicussed often because it isn't a common problem.
I sometimes double check the addresses before hitting send button... that will probably help

[o_e_l_e_o]

Yeah, this is a very common malware.

It's not entirely safe to check the first few and last few letters either. There also exists malware which has a database of addresses it can choose to replace yours with, and will pick an address which is similar to your address. The only way to be completely safe is to check the entire address. The easiest way to do this is to put the window or device with your wallet on it physically right next to the window or device with the address you want to send to. Once the two addresses are physically right next to each, it takes <10 seconds to check the entire address matches up.

I'd also suggest having a read of this thread from LoyceV which discusses all this in more detail: How to lose your Bitcoins with CTRL-C CTRL-V

[MisterBitconio]

Yeah, this is a very common malware.

It's not entirely safe to check the first few and last few letters either. There also exists malware which has a database of addresses it can choose to replace yours with, and will pick an address which is similar to your address. The only way to be completely safe is to check the entire address. The easiest way to do this is to put the window or device with your wallet on it physically right next to the window or device with the address you want to send to. Once the two addresses are physically right next to each, it takes <10 seconds to check the entire address matches up.

I'd also suggest having a read of this thread from LoyceV which discusses all this in more detail: How to lose your Bitcoins with CTRL-C CTRL-V

Yikes, I didn't even consider that. Thanks for the heads up. Yes, I would assume your method would be the safest option, can't really sacrifice precision when the Tx is significant.

[dothebeats]

This is old but still does the trick on some unknowing users.

The rule of thumb when you're a bitcoin or crypto user is to NOT download any sort of files that came from any untrusted source. There are tons of malware out there that can easily come into your system which might hijack your clipboard and bam, you're infected. Over time, the creators of these malware get better and more cunning, and as o_e_l_e_o already pointed, can change your address into something very similar. Either way, you would be safe from such attacks if you follow at least the basic internet security tips and etiquette. I'm a noob on cybersec and complicated internet security stuff, but never for the last 6 years have I encountered a problem on malware targeting my coins.

[MisterBitconio]

The rule of thumb when you're a bitcoin or crypto user is to NOT download any sort of files that came from any untrusted source.

Pretty much. I've personally found a way to convert an old phone (that I formatted and turned offline) into a hardware wallet to sign my transactions, basically a makeshift Trezor. It does the trick, especially if your activity involves downloading questionable files and programs online.

I wasn't aware it was that common, to be honest. But better help someone become aware than be sorry when they lose coins to that scam.

[bL4nkcode]

Yikes, I didn't even consider that. Thanks for the heads up. Yes, I would assume your method would be the safest option, can't really sacrifice precision when the Tx is significant.

This might be an old trick but there are still lots of users who got infected/scammed/hacked of this kind. Having those addresses with almost the same are considered/viewed from a database/list of addresses of the hacker, this was reported just months ago with a phishing/malware electrum wallet, but surely it was implemented on other sources too.

The only thing you can do since not all anti-virus detect this as malware is to always double even triple check the wallet address when sending funds, and don't just download files from its official/trusted source but always verify the downloaded fille (signatures) as well.

[20kevin20]

This is old but still does the trick on some unknowing users.

The rule of thumb when you're a bitcoin or crypto user is to NOT download any sort of files that came from any untrusted source. There are tons of malware out there that can easily come into your system which might hijack your clipboard and bam, you're infected.

Most downloads nowadays also allow you to verify their legitimacy through various methods, mostly through signatures. I usually also do this if the time allows me to do so. Even trusted sources could be malicious if they are under an attack themselves. Qubes has a thorough tutorial (.onion version here) of how to verify their ISO even for the most paranoid ones out there.

Internet has its own dark places for sure. My rule of thumb is .. just keep your cryptos on an old device, be it a Pentium old PC and flash a good linux distro on it - or buy a hardware wallet. that saves you from so many potential issues.

[maxreish]

I have read almost same issue in this forum and guide the victim on how to remove that malware inside the system.
It is very significant to double or triple check the bitcoin address before finally hit the send button since many hijacking malware btc address exists lately.

I remembered one issue where in the victim copy pasted his btc address and thought it was his correct address since the first numbers and letters are same with his own address. I just forget the site and what malware is that. But anyway, lets all be vigilant and do not download apps or anything that is untrusted and suspicious.

[larus]

Whats why im always checking addresses after copy pasting them