Clipboard hijacking is a silent attack: you copy the correct address, but when you paste it out, it becomes the attacker's address. This article explains the principles and defenses. Download entry: Binance website, mobile Binance official app; if you don't have the App on iOS, check the iOS install guide.
1. Attack principles
Trojan execution flow
- You install malware (disguised as a cracked version / tool).
- It monitors the clipboard in the background.
- It detects that you copied a cryptocurrency address (identifying BTC / ETH / TRC20 by format).
- It immediately replaces it with an address prepared by the attacker.
- What you paste is already a fake address.
- You withdraw the coins → the money goes into the attacker's pocket.
The entire process is completely imperceptible, with no pop-ups or prompts whatsoever.
2. Common sources of attacks
| Source | Risk |
|---|---|
| Cracked Photoshop / Office | Extremely high |
| "Tools" in Telegram groups | Extremely high |
| Localized Apps downloaded from forums | High |
| ZIP files in email attachments | High |
| "Crypto Assistant" mini-programs | Extremely high |
3. Defense methods
1. Verify word by word before withdrawal
After copying and pasting the address, carefully verify:
- The first 6 characters
- The last 6 characters
- The length
An address is 34 characters (TRC20) or 42 characters (ERC20); if any single character doesn't match, absolutely do not send the funds.
2. Use a whitelist
Only select pre-whitelisted addresses for withdrawals, avoiding pasting every time. This greatly reduces the risk of clipboard attacks.
3. Use QR codes as alternatives
If feasible, scan the QR code provided by the counterparty instead of copying and pasting. Trojans do not affect camera scanning.
4. Antivirus scanning
Run a full scan once a month. Run an extra scan before important transactions.
5. Do not install software from unknown sources
The most fundamental defense. The money saved by using cracked versions might be traded for the loss of all your assets.
4. Signals identifying a Trojan
- The computer slows down, fans spin at high speed (mining).
- The browser homepage gets changed.
- Unfamiliar startup items appear.
- Strange processes in the Task Manager.
- Kaspersky/360 repeatedly pops up "Blocked".
If any of these occur, run a full disk scan.
5. Mobile clipboard attacks
Mobile devices are also vulnerable:
- Android: Clipboard access permissions are relatively open, malicious Apps can read it.
- iOS: From version 14 onwards, there will be a prompt "App pasted from clipboard", keep an eye out for unfamiliar apps.
Defense:
- Do not install unofficial apps.
- On iOS, pay attention to clipboard prompts.
- On Android, audit app permissions.
6. Emergency response for sending to the wrong address
If you have already sent coins to the wrong address:
- Immediately stop any other operations.
- Check the on-chain TXID status.
- If it's unconfirmed on-chain, contact Binance support to try canceling (rarely succeeds).
- If confirmed → it is irreversible on the blockchain, the assets are lost.
- Simultaneously troubleshoot the source Trojan: run antivirus, flash the device.
- Change the passwords of all your financial accounts.
7. Long-term advice
1. The main trading device should only have essential software
Use another machine for work and entertainment. Your Binance trading machine should only have the OS, a browser, and the Binance client installed.
2. Test before large amounts
When withdrawing to a new address for the first time, test with 10 USDT first. Trojans won't replace small amounts because it's too conspicuous.
3. Multisig wallets
Advanced: Use a multisig wallet like Gnosis Safe, which requires multiple private keys to approve a withdrawal. Even if a Trojan replaces the address, it cannot pass the multisig verification.
4. Paste using a password manager
Certain password managers (1Password / Bitwarden) support "secure paste" — filling directly into the target input box without going through the clipboard. The Trojan cannot intercept it.
FAQ
Q1: Will the Trojan proactively connect to the internet to transmit addresses? Usually, yes. But some Trojans store a pool of addresses locally and don't need real-time internet connectivity.
Q2: Can antivirus software detect it 100% of the time? No. New Trojans might evade signature databases. Habitually verifying is more reliable than relying on antivirus.
Q3: Will changing the address (using a new one every time) prevent this? New addresses will also be replaced. The Trojan identifies the format, not the specific address.
Q4: Will using Linux make me completely immune? Linux has fewer viruses but the number is not zero. You still must verify.