A Bybit user lost $1,200 after clipboard malware silently swapped his wallet address mid-transfer. Here is what happened and how it works.
The money left his MetaMask wallet clean. No errors. No warnings. Just gone.
A Bybit user sent $1,200 to what he believed was his own deposit address. Ten minutes passed. Then an hour. No confirmation from Bybit ever arrived. According to crypto security account BalaiBB on X, the user had copied his Bybit wallet address, opened MetaMask, pasted it, and hit send, the way everyone does it.
What He Found When He Checked the Transaction
When the deposit still hadn’t shown up, BalaiBB posted on X that the user went back and looked at the address he actually sent to. It wasn’t his. The device had been running clipboard hijacking malware. The moment the address was copied, the malware swapped it out for an attacker-controlled wallet. He pasted the replacement. He sent to a stranger.
The malware never made a sound.
This type of attack runs in the background of a compromised Android device, waiting. When it detects a long alphanumeric string that looks like a crypto wallet address, it replaces it instantly. The user sees nothing change. The paste looks identical at a glance. Only the last four characters tell the story, if anyone bothers to check. Per BalaiBB on X, the simple fix is always comparing the first and last four characters of any address after pasting, before confirming a transaction.
According to cybersecurity researchers at CNC Intel, clipboard hijackers can enter a device through fake browser extensions, trojans bundled inside shady downloads, or phishing links. One known strain, Qulab, specifically targeted Android devices by disguising itself inside fake Tor Browser apps distributed through unofficial app stores. The malware sets itself to run at startup.
Five Ways Your Wallet Gets Drained Without You Clicking Anything Obvious
BalaiBB didn’t stop at the clipboard warning. In a follow-up thread on X, the account laid out four other attack types that drain wallets just as quietly.
Fake token approvals came second on the list. A random token shows up in a wallet. The user tries to sell it on a DEX. The moment they approve the transaction, the contract empties everything. BalaiBB’s rule: if you didn’t buy it, don’t touch it.
Phishing sites, which are copies of legitimate DeFi platforms with near-identical URLs, ranked third. The URL uniswop.com instead of uniswap.org is the kind of difference most users scroll past. A wallet connection plus one approved transaction, and the funds are gone. As BalaiBB noted on X, bookmarking official sites is the only reliable defense.
Fake customer support rounded things out. Someone tweets a problem with MetaMask. Within minutes, a “support agent” DMs them asking for a seed phrase to “fix the issue.” BalaiBB on X was blunt about this: no legitimate company will ever ask for a seed phrase. Not once.
The fifth attack type, Discord social engineering, operates through compromised mod accounts in legitimate servers. A fake “surprise mint” or airdrop link goes out from a trusted name. People click because it came from someone they recognized. They connect their wallet. The funds leave.
Fake Google Play apps delivering similar clipboard-swapping behavior have already been documented targeting Android devices in Brazil, where attackers built imitation app store pages to distribute malware that specifically swaps wallet addresses during USDT transfers.
The Part Nobody Mentions: There Is No Refund
Blockchain transactions are final. There is no support ticket, no dispute window, no bank to call. CNC Intel confirmed that recovering crypto stolen through clipboard hijacking is nearly impossible once the transaction clears. The firm noted it has worked alongside law enforcement to trace funds in such cases, though recovery remains rare.
The stolen address can be tracked on-chain. The money, practically speaking, cannot be retrieved.
April 2026 saw $620 million in crypto losses across 20 incidents, the worst monthly total since the February 2025 Bybit breach. Most of those losses came from infrastructure-level failures. The $1,200 clipboard theft sits at the opposite end of the scale. Different method. Same result.
CNC Intel recommends overwriting clipboard contents with random text after copying a wallet address, running full antivirus scans with tools like Malwarebytes or Kaspersky, and checking the Windows startup tab through msconfig for any unfamiliar entries. On Android, unofficial app stores are where most infections begin.
The user’s $1,200 is not coming back. What he got instead was a lesson that cost less than most people pay to learn it.
