Clipper malware is a type of malicious software that watches for copied cryptocurrency addresses and silently replaces them with an address controlled by the attacker. The victim pastes what looks like the correct wallet address, but the transfer goes to the wrong destination if the clipboard has been altered.
This matters because cryptocurrency transactions are usually irreversible. A single clipboard swap can redirect funds without changing the visible payment screen or triggering an obvious error. Clipper malware often appears alongside other payloads in download traps, fake software sites, cracked installers, or staged malware bundles, where it can be delivered after a user runs a trojanized file. Defenders look for suspicious clipboard access, unexpected process injection, abnormal browser or wallet activity, and mismatched pasted addresses. Good protection also includes verifying full addresses before sending, using hardware wallets when possible, and downloading software only from a known canonical source.