Clipboard Malware Silently Steals $1,200 from Bybit User’s Wallet

by

Bybit User Loses $1,200 to Clipboard Malware That Swaps Wallet Addresses Silently

A Bybit user recently lost $1,200 because of malware that secretly changed the wallet address he was sending cryptocurrency to. Here’s a breakdown of what occurred and how this type of scam works.

The money left his MetaMask wallet clean. No errors. No warnings. Just gone.

A Bybit user accidentally sent $1,200 to an incorrect address, thinking it was their own deposit address. After waiting an hour without any confirmation from Bybit, they realized something was wrong. According to a crypto security account on X (formerly Twitter) called BalaiBB, the user followed the standard process: they copied their Bybit wallet address, pasted it into MetaMask, and sent the funds.

What He Found When He Checked the Transaction

After the deposit didn’t appear, BalaiBB reported on X that the user realized he’d sent the funds to the wrong address. It turned out his device was infected with malware that secretly replaced any copied address with one controlled by a hacker. He unknowingly pasted the hacker’s address and sent his money to a stranger.

The malware never made a sound.

This attack silently runs on infected Android devices, monitoring for cryptocurrency wallet addresses that are pasted. When it finds one, it immediately swaps it with a fraudulent address. The pasted address appears normal to the user, and the change is undetectable unless you carefully compare the first and last four characters. According to BalaiBB on X, a quick way to stay safe is to always double-check the beginning and end of any pasted address before confirming a transaction.

Cybersecurity experts at CNC Intel have discovered that clipboard hijackers can infect devices in several ways: through deceptive browser extensions, malicious software hidden within questionable downloads, or by tricking users with phishing links. One particular type of malware, called Qulab, has been found targeting Android phones by posing as a fake Tor Browser app available outside of official app stores. Once installed, this malware automatically starts running whenever the device is turned on.

Five Ways Your Wallet Gets Drained Without You Clicking Anything Obvious

Beyond just the initial clipboard warning, BalaiBB detailed four more sneaky methods attackers use to empty digital wallets in a follow-up post on X.

Fake token approvals were the second most common scam. Here’s how it works: a suspicious token appears in your digital wallet. If you try to sell it on a decentralized exchange (DEX) and approve the transaction, the scammer will drain your wallet. BalaiBB’s advice is simple: if you didn’t purchase a token, don’t interact with it.

Phishing websites, fake copies of real DeFi platforms with very similar web addresses, were the third most common scam. Often, the difference is just a slight misspelling in the URL – for example, “uniswop.com” instead of the correct “uniswap.org” – and many people don’t notice. Once a user connects their digital wallet and approves a single transaction on these fake sites, their funds are immediately stolen. As one user pointed out on X (formerly Twitter), the best way to protect yourself is to bookmark the official websites of the platforms you use.

Scammers are pretending to be MetaMask support on Twitter. They respond to users reporting problems and immediately ask for their seed phrase – a secret key used to access their crypto wallet – claiming they need it to help. Security expert BalaiBB warns that a real support team would *never* ask for this information, ever.

Discord social engineering attacks happen when hackers take over moderator accounts on real Discord servers. They then send out fake links promising free items – like a “surprise mint” or “airdrop” – from a trusted source. Because people recognize the sender, they’re more likely to click the link, connect their digital wallet, and unknowingly have their funds stolen.

Counterfeit Google Play apps with the ability to secretly change copied addresses have been found, primarily targeting Android users in Brazil. Attackers created fake app stores to spread this malware, which swaps cryptocurrency wallet addresses during transfers of USDT, effectively stealing funds.

The Part Nobody Mentions: There Is No Refund

Once a blockchain transaction is complete, it can’t be reversed. Unlike traditional banking, there’s no way to get help, file a dispute, or get your money back. According to CNC Intel, if someone steals your cryptocurrency through clipboard hijacking, it’s almost impossible to recover. While they’ve assisted law enforcement in tracking stolen funds, actually getting the money back is very uncommon.

The stolen address can be tracked on-chain. The money, practically speaking, cannot be retrieved.

In April 2026, cryptocurrency losses totaled $620 million across 20 separate incidents – the highest monthly amount since the Bybit breach in February 2025. The majority of these losses were due to problems with the underlying infrastructure, while a smaller incident, a $1,200 theft via clipboard manipulation, demonstrates that even smaller attacks can result in financial loss.

To protect your cryptocurrency wallet, CNC Intel suggests immediately replacing anything copied to your clipboard with random text after copying your wallet address. They also recommend running complete antivirus scans using programs like Malwarebytes or Kaspersky, and checking your computer’s startup programs (using the ‘msconfig’ tool on Windows) for anything you don’t recognize. If you’re using an Android device, be careful – most infections start with apps downloaded from unofficial app stores.

The user won’t be getting their $1,200 back, but they did gain a valuable lesson – one that often costs more to learn.

Read More

2026-05-06 15:09