Clipper Malware: How Hackers Steal Crypto with Clipboard Hijacking

Blockchain users face a wide variety of different threats to their crypto. Rug pulls steal tokens invested in a scam project, smart contract vulnerabilities can be exploited to drain contracts, and stolen private keys allow an attacker to perform transactions on a user’s behalf, draining their wallets.

Clipper malware, like that included in a warning bulletin from Binance, is yet another means by which cybercriminals steal crypto. This attack involves changing destination addresses for a user’s transactions and redirecting them to the attacker.

What is Clipper Malware?

Clipper malware gets its name from the fact that it manipulates the system clipboard on a computer or mobile device. One of the key attributes of the clipboard is that it is readable and writable by any application on the device. This is why it’s possible to copy text from one program and paste it into another.

However, this feature can also be problematic if sensitive information is transferred via the clipboard. Information stealer (infostealer) malware commonly monitors the system clipboard because people use it to transfer data that they don’t want to mistype. Programs can set up listeners that notify them whenever data is written to the clipboard, enabling them to check if it contains data of interest.

This target data often involves passwords, credit card information, and other sensitive information. By keeping an eye on the clipboard and looking for data in specific formats, the malware can collect this information and exfiltrate it to the attacker.

Clipper Malware in Blockchain

In the blockchain space, clipper malware takes advantage of the fact that applications can edit the data on the clipboard as well as read it. Blockchain clipper malware will look for data that appear to be blockchain addresses, which have a distinct format on each blockchain. 

If the malware identifies a clipboard entry in a matching format, it will replace the address with that of the attacker. Users commonly copy-paste addresses when they are creating a new transaction and want to send it to a particular address. As a result, the attacker-modified address will likely be pasted into the destination field of a blockchain transaction. If this occurs and the user doesn’t notice the swap, then the crypto being transferred will be sent to the attacker rather than the intended recipient.

This attack depends on the target not noticing the swapped address. However, this is likely for a few different reasons. One is that the user copy-pasted the destination address to ensure that it was correct. This means that they’re likely to trust the copy-pasted version.

Another is that an attacker could employ lookalike addresses to make their destination addresses look more plausible to their target. If the malware is preloaded with several different addresses, it could substitute the one that most resembles the target address. This reduces the risk that the user might notice that, for example, the destination address begins with an A, and the attacker-provided one starts with a 3. Another common crypto scam that involves copy-pasting — address poisoning attacks — relies on these lookalike addresses to trick users into sending crypto to the wrong place.

Clipper Malware in the Wild: Insights from Binance

The main assumption of these attacks is that the attacker is able to install malware on the user’s device to modify its clipboard. According to the Binance report, the majority of these attacks target mobile users. This is because typing out a wallet address is even more inconvenient on a mobile device, making copy-paste a logical means of transferring addresses from one app to another.

The clipper malware used in this attack is often distributed via Android apps and plugins in web applications. These are commonly downloaded from unofficial app stores or phishing sites. One way that the attackers trick users into downloading their apps is by providing versions of a legitimate app in the user’s native language or one that is available through unofficial channels if crypto usage is restricted in their country.

Binance noted that these attacks have become especially common in recent months, with a spike in late August. However, the exchange’s view of the attack is primarily related to maliciously redirected withdrawals from its platform, and the attacker may be targeting other transactions as well.

One challenge in identifying these clipper malware attacks is the difficulty of differentiating between legitimate and malicious transactions on the blockchain. If all that changes in a transaction is the blockchain address and the transaction is digitally signed by the account owner, then it’s difficult to know whether the destination address is the intended one or a mistake. Binance only has visibility into the threat because users whose withdrawal transactions were redirected by attackers reported the issue to the company.

Protecting Against Clipper Attacks

A clipper malware attack needs to succeed at two things: infecting the target system with malware and tricking the user into sending a transaction containing an incorrect destination address. Preventing one or both of these from happening stops the attack from succeeding.

Clipper malware is commonly distributed via unofficial app stores and phishing pages. When downloading a mobile app or browser extension, only do so from the project’s official page or legitimate app stores. Unofficial versions of apps are likely malware that could include clipper or other malicious functionality.

When making a transaction on the blockchain, it’s vital to double-check all parts of the transaction before approving and signing it. Clipper malware might change the destination address of the transaction, or other malware could insert malicious DeFi approvals, smart contract ownership transfers, or other undesirable actions into an otherwise legitimate transaction. Blockchains only accept transactions with valid digital signatures, so an attacker who lacks access to a private key may try everything they can to get someone who does have the key to sign that transaction.

Crypto users face a wide variety of scams and other cyber threats, and implementing security best practices is essential to prevent crypto thefts and other malicious on-chain activities. To learn more about protecting yourself against crypto scams, check out our blog post on the most common crypto scams.