Yesterday's piece on browser extension hijacks covered an attack that needs the user to authorize an extension. Today's threat is sneakier - it doesn't need any browser interaction. It just watches your clipboard.
The attack in plain English
Clipboard hijack malware (industry term: "clipper" malware) does one thing: it monitors your clipboard for patterns that look like cryptocurrency wallet addresses, and silently replaces them with the attacker's address. You copy your friend's Bitcoin address, paste it into your wallet, hit send - and the funds go to a stranger.
The pattern matching is regex-simple. Bitcoin addresses match ^(1|3|bc1)[a-zA-HJ-NP-Z0-9]{25,62}$. Ethereum starts with 0x followed by 40 hex characters. Solana is base58, length ~32-44. The malware loads a list of attacker addresses for each chain and swaps on the fly.
Why this is back in 2026
Clipper malware has been around since 2017. It went quiet 2020-2023 as antivirus vendors got better at detecting it. It's resurgent in 2026 for three reasons:
- Cryptocurrency adoption is back to 2021 highs. More users copying addresses = more targets.
- Living-off-the-land techniques. Modern variants don't ship as standalone EXEs. They live inside legitimate signed apps via DLL sideloading, supply-chain attacks on smaller utilities, or malicious browser extensions that piggyback on the clipboard API.
- AI-generated address candidates. Attackers now run libraries of millions of pre-generated addresses, with logic that picks an attacker address that visually resembles the original (same starting characters, similar length). Users glancing at the pasted address see something familiar and don't notice the swap.
The detection challenge
Three reasons this malware is harder to catch than typical info-stealers:
- No network signal until the next clipboard event. The malware just sits dormant, listening. It doesn't beacon, doesn't exfiltrate. EDR tools that flag "this process is calling out to a strange C2" have nothing to flag.
- Behavior overlaps with legitimate apps. Password managers, snippet tools, screenshot utilities - all monitor or modify the clipboard. Heuristic detection produces false positives.
- The malicious payload is tiny. Often a few hundred bytes injected into a legitimate process. Static signatures don't catch it.
Four detection techniques that actually work in 2026
1. Clipboard event source verification
Modern EDRs (CrowdStrike, SentinelOne) added "clipboard write source" telemetry in 2025. They alert when a process modifies clipboard contents that another process recently wrote. This is the cleanest signal - normal apps don't silently rewrite your clipboard.
2. Address-list canary monitoring
Crypto wallets and exchanges started embedding "canary" addresses in their UI - addresses that should never be modified. If they detect their own canary changed in the clipboard between display and paste, they alert. Coinbase rolled this out in March 2026.
3. Visual integrity check on paste
Wallet apps now diff the clipboard contents at copy-time vs. paste-time. If different, they show a hard warning before sending. MetaMask, Phantom, Trust Wallet all added this in 2026.
4. DLL sideload detection
Most clipper malware in 2026 ships via sideloaded DLLs in signed apps. Detecting the sideload (a DLL loaded from an unexpected path or with a hash mismatch) catches the family even before the clipboard behavior triggers.
Three defense layers for end users
- Always verify the first 4 and last 4 characters of any pasted crypto address before sending. Don't compare the whole address - your eyes will glaze. Just first 4 / last 4. The malware can match starting chars but rarely matches both ends.
- Use wallet apps with paste-integrity warnings (MetaMask, Phantom, Trust). Update them. The 2026 versions catch most clipper attacks.
- Use a hardware wallet for any transaction over $500. Hardware wallets show the destination address on a screen the malware can't reach. You verify there, not on your computer.
The pattern
Clipper malware is not high-profile. It doesn't make news because each individual loss is small ($500-$5,000) and individual victims rarely report. But aggregate losses to clipper malware in 2025 exceeded $180M according to Chainalysis. It's a low-and-steady drain on the ecosystem, and the techniques are well within reach of any defender.
Tomorrow
We cover MFA fatigue attacks - the social engineering technique that's bypassing 2FA at enterprise scale, and why "just enable MFA" stopped being enough advice in 2025.