A crypto user’s $1,200 transfer to Bybit never arrived. He checked the address. Wrong wallet entirely. His device had been running clipboard malware without him ever knowing.

The incident was shared on X by Bala (@BalaiBB). According to Bala on X, his friend copied a Bybit wallet address, opened MetaMask, pasted it, and sent the funds. No deposit confirmation came through. After an hour of refreshing, he went back to check the address he had pasted. It was not the one he had copied.

What the Malware Actually Does

Clipboard hijacking malware runs silently in the background of an infected device. The moment you copy a wallet address, the malware detects the alphanumeric string and swaps it out for one owned by the attacker. You paste. You confirm. The funds land in a stranger’s wallet.

According to CNC Intelligence, the malware activates specifically when it recognizes crypto wallet formats, including strings starting with 0x for Ethereum or bc1 for Bitcoin. Some variants check the clipboard every 200 milliseconds. They don’t need your password. They don’t need your seed phrase. They just need you to copy and paste once.

Bala had flagged this exact attack pattern in an earlier thread on X. As Bala tweeted on X, the post gathered over 80,700 views after he described clipboard hijacking as one of the most sophisticated scams that even experienced users fall for. He noted the malware works because people trust their own copy-paste action.

The theft is final. Blockchain transactions do not reverse. Once confirmed, the funds are gone.

The Bybit User Did Nothing Wrong

That’s the part that gets overlooked. The victim followed normal procedure. He used MetaMask. He used Bybit. Both platforms are legitimate. The problem was on his device, not the exchange.

CNC Intelligence’s breakdown explains that clipboard hijackers can enter devices through fake browser extensions, trojaned software downloads, or phishing links. One strain called CryptoShuffler reportedly stole over $150,000 in Bitcoin running entirely as a hidden background process. Variants like Pro.exe and ClipXDaemon have been documented on Windows, Android, and Linux.

In December 2025, cybersecurity firm CloudSEK identified a coordinated campaign where a threat actor was distributing a Python-based clipboard hijacker through Discord communities targeting crypto streamers and gaming communities. The attacker framed the malicious file, named Pro.exe, as a “clipboard protection tool” before sending it directly through Telegram.

Real protection. It was the attack itself.

Five Attack Types That Go Beyond the Clipboard

Bala (@BalaiBB) listed five crypto scam patterns on X that go beyond simple clipboard hijacking. Fake token approvals come next: a random token appears in your wallet, you try to sell it on a DEX, and the moment you approve the transaction, the contract drains everything. The rule he gave was direct. If you did not buy it, do not touch it.

Phishing sites that mirror DeFi platforms almost perfectly are another vector. A URL like uniswop.com instead of uniswap.org. Connect your wallet, approve one transaction, and it’s gone. Then there are fake customer support accounts that DM users who post about wallet issues. They ask for seed phrases. No legitimate platform ever will.

The fifth pattern Bala flagged involves compromised Discord moderator accounts posting fake airdrop links. Users click because the message came from a trusted mod. The wallet gets drained anyway. As Bala noted on X, even official channels can be breached, and announcements should be verified across multiple platforms before acting.

How to Check If Your Device Is Infected Right Now

Copy any random Bitcoin or Ethereum address from a public block explorer. Paste it into Notepad. Compare it character by character to the original. If they do not match, your clipboard is being swapped. CNC Intelligence recommends repeating the test with different addresses, since some malware only activates for specific cryptocurrencies or every few copies to avoid detection.

For removal, checking startup programs in Windows via msconfig and inspecting Task Manager for unknown processes are first steps. Tools like Malwarebytes and Kaspersky catch most clipboard hijackers. HitmanPro handles more advanced variants on PC and ComboCleaner handles macOS infections. Run the scan, restart, and check again because many strains leave persistence files behind.

Going forward, always verify the first and last six characters of any pasted address before confirming a transaction. For high-value transfers, send a small test amount first. Hardware wallets like Ledger and Trezor display addresses on a physical screen that cannot be tampered with by device-level malware. That extra step would have saved Bala’s friend $1,200.