Clipper malware is the family of malicious software that monitors the system clipboard for cryptocurrency addresses and, when one is detected, silently replaces it with the attacker's address. The user pastes what they think is "the right address," signs the transaction, and sends funds to the attacker. The clipboard, in 2026, is one of the most under-defended attack surfaces on consumer Windows and Android.
How it works on the user's machine
Three components:
A clipboard-monitoring background process — easy to write in any modern OS API. Runs continuously, low system impact, no obvious foreground activity.
An address-pattern recognizer. Bitcoin addresses match specific prefixes ("1", "3", "bc1"). Ethereum addresses are 42-character hex strings starting with "0x". The malware uses regex to identify these patterns the moment they hit the clipboard.
A replacement step. The detected address gets swapped with the attacker's address from a hardcoded list. Sometimes the attacker maintains multiple addresses to make blocklisting harder; sometimes they use vanity addresses that visually resemble common destinations.
Why this is hard to catch
Users do not usually re-read the address after pasting. The discipline rule "always verify the first four and last four characters" works against this attack, but few users follow it consistently. The visual-resemblance attack — a vanity Bitcoin address that starts with "bc1qyourwallet..." for a target that copies "bc1qexpected..." — exploits exactly this lapse.
Clipper malware has been distributed via pirated software, fake browser extensions, cracked game installers, and bundled into "cracked" trading bots for over a decade. The current wave (Lumma Stealer, Atomic Stealer, MetaStealer) bundles clipper functionality alongside credential theft.
What defends
Three operational habits:
First, verify the address on the hardware-wallet screen before pressing the confirm button. The hardware wallet displays the destination address the device received from the host computer — if clipper malware swapped the address in the clipboard, the swap is reflected in what the dApp sent to the hardware wallet, and you see the wrong address on the device. This is one of the central reasons "always read the screen" matters.
Second, prefer QR-code-based address transfer over copy-paste where possible. The QR encodes the address; there is no clipboard step for malware to intercept. Most exchanges and most hardware wallets support QR-based address sharing.
Third, for high-value transfers ($10K+), do a small test transaction first. Send a token amount, wait for confirmation, verify it arrived at the intended address, then send the rest. This costs you twenty minutes and a small fee; it eliminates clipper risk for the bulk of the transfer.
Detection on Windows and Android
Windows Defender catches the well-known clipper families (Lumma, RedLine variants) as of mid-2024 updates, but novel variants slip through for weeks. Android antivirus apps from Bitdefender, Kaspersky, and Malwarebytes have similar coverage gaps.
The actual defense is upstream: don't install cracked software, don't trust browser extensions outside of major vendor stores, don't run executables from Telegram or Discord regardless of who recommended them. For a US-resident holder with substantial crypto, a dedicated "signing computer" (a clean Linux laptop used only for crypto transactions) eliminates the entire malware threat surface — and it is cheaper than the loss it prevents.
Further reading: Hot wallet, Phishing, Key-leak emergency rescue.