Clipboard Hijacking Malware Surge Threatens Crypto Wallets in 2026
Clipboard hijacking works by intercepting the data a user copies and swapping it with a malicious address. When a wallet user pastes the address into a transfer field, the funds are routed to the attacker’s wallet instead of the intended recipient. The attacks exploit the fact that many hot wallet applications—such as MetaMask, Trust Wallet, and Phantom—automatically copy addresses to the clipboard when a user selects them. Because the user is unaware of the replacement, the attack can succeed without any user interaction beyond the normal copy‑and‑paste workflow.
The broader threat landscape for crypto wallet security is expanding. A recent scan of commonly infected areas uncovered 18 malware samples, 14 of which were classified as viruses with a high risk rating. The remaining samples included six instances of adware, a keylogger, a trojan, a scareware, and general malware. Other malware families that have historically targeted crypto infrastructure include KandyKorn—a MacOS tool used by North Korean actors to target blockchain engineers; Lazarus Group’s AppleJeus, the first known MacOS malware aimed at a cryptocurrency exchange; and Gozi, a trojan that has evolved to target cryptocurrency exchanges through malvertising.
The rise of clipboard hijacking underscores the vulnerability of hot wallets, which store private keys in memory and are accessible via a user’s device. Cold wallets, such as hardware wallets and multi‑party computation (MPC) solutions, provide a higher level of isolation but are not immune to social‑engineering attacks that trick users into transferring funds to a compromised address. Security best‑practice guides from Binance, Bitdegree, and Cobo emphasize verifying destination addresses, using hardware wallets for large balances, enabling two‑factor authentication, and monitoring clipboard activity with dedicated tools.
Regulators and industry groups are taking notice. The European Union’s Digital Finance Package includes provisions that require exchanges to implement robust anti‑money‑laundering controls, which may extend to wallet‑app providers. In the United States, the Securities and Exchange Commission has issued guidance encouraging custodial services to adopt “strong customer authentication” and to provide clear warnings about phishing and clipboard‑based attacks.
The current situation remains fluid. Microsoft and other security vendors are actively updating detection signatures for Crypto Clipper and MassJacker. Wallet developers are working on built‑in clipboard‑monitoring features that alert users when an address is copied. Exchanges are reviewing their user‑interface flows to reduce the risk of accidental address replacement. As the threat continues to evolve, users are advised to remain vigilant, keep software up to date, and verify transaction details before confirming any transfer.