The $47K Ethereum Drain: A Clipboard Malware Attack
A user copied a wallet address and pasted something different. Clipboard malware had been silently replacing crypto addresses for weeks. By the time they noticed, 14.2 ETH was gone -routed through 8 wallets to a mixer.
The Incident
The victim was transferring 14.2 ETH from a centralized exchange to their self-custody wallet. They copied their wallet address from MetaMask, switched to the exchange withdrawal page, and pasted it into the destination field. The address looked correct at a glance -it started and ended with similar characters. They confirmed the withdrawal. Twenty minutes later, the ETH arrived -but not in their wallet. The address had been silently swapped by clipboard malware. The victim only discovered the theft hours later when checking their wallet balance and finding it empty.
Attack Vector: Clipboard Hijacking
Clipboard hijacking malware monitors the system clipboard for patterns matching cryptocurrency addresses (long hexadecimal strings starting with 0x for Ethereum, strings starting with 1, 3, or bc1 for Bitcoin). When it detects a crypto address being copied, it instantly replaces it with an attacker-controlled address that has a visually similar prefix and suffix. The malware was traced to a cracked software download the victim had installed three weeks earlier. It had been running silently in the background, replacing clipboard addresses on every copy operation. The victim had likely sent several smaller transactions to attacker addresses before the large 14.2 ETH transfer triggered the discovery.
On-Chain Trail
The 14.2 ETH landed in the attacker's receiving address and began moving within 4 minutes -suggesting automated sweeper infrastructure. The funds were split across 8 intermediate wallets over the next 20 minutes, with each hop using a different gas price to complicate automated tracing. The final hop sent the ETH into Tornado Cash in 3 separate deposits of approximately equal size. Once in the mixer, the on-chain trail effectively ends. The intermediate wallets were all freshly created, had no prior transaction history, and received no further transactions after forwarding the stolen funds.
Outcome
The funds were unrecoverable once mixed through Tornado Cash. The victim filed a police report and an IC3 complaint. The clipboard malware was identified and removed from their system. Forensic analysis of the malware revealed it was a known variant distributed through cracked software torrent sites, with the attacker's address pool containing over 400 pre-generated addresses optimized to visually match common address patterns. No arrests have been made.
Prevention
This attack fails completely if you verify the pasted address on a hardware wallet screen before confirming the transaction. The hardware wallet displays the actual destination address on its physical screen -malware cannot alter what the device displays. Always verify the first 6 and last 6 characters of any pasted address against the original source. Better yet, use QR codes instead of copy-paste when possible. And never install cracked or pirated software on any device used for cryptocurrency transactions. The few dollars saved on software is not worth the risk of clipboard malware draining your wallet.