What Is a Clipboard Hijacker and Why My Pasted Address Changed?

If you copied a crypto address, pasted it, and the address that appeared was different from the one you copied, your device is very likely infected with clipboard-hijacker ("clipper") malware.

What Is a Clipboard Hijacker?

A clipboard hijacker is a type of malware that silently watches your device's clipboard. When it detects that you've copied something that looks like a cryptocurrency address, it instantly swaps it for an address controlled by the attacker. You paste what you think is the correct address, but it's actually theirs — and if you don't notice, your funds go straight to the scammer.

This malware lives on your device, not in the Xverse wallet. It can arrive through a malicious browser extension, a pirated or cracked app, a fake download, an infected email attachment, or a sketchy link.

How to Recognize It

You may have a clipboard hijacker if:

  • The address you paste doesn't match the address you copied.
  • Addresses change every time you copy and paste, or change after a short delay.
  • It happens across different apps and websites, not just one.

Step 1: Stop and Don't Send Anything

If you notice an address changing, do not complete any transaction. Cancel the send and don't paste any more addresses until your device is clean.

Always compare the entire pasted address against the original, not just the first few characters. Clippers often generate look-alike addresses that share a similar prefix to avoid catching your eye.

Step 2: Verify Every Address Before Sending

Until you've cleaned your device, treat every pasted address as untrusted.

  1. After pasting a recipient address, compare it character by character against the source.
  2. Whenever possible, use a QR code or scan the address instead of copy-paste.
  3. Send a small test amount first and confirm it arrives at the correct destination before sending the full amount.

Step 3: Move to a Clean Device

The only reliable fix is to stop using the infected device for crypto.

  1. Run a full scan with reputable anti-malware software, or factory-reset the infected device.
  2. Remove any browser extensions, apps, or downloads you don't recognize or recently installed before the problem started.
  3. Set up Xverse on a separate, clean device you trust.

If you believe your Secret Recovery Phrase was ever typed, stored, or entered on the infected device, assume it's compromised. Create a brand-new wallet on the clean device and move your remaining funds to it. Never reuse a recovery phrase that may have been exposed.

Why Funds Already Sent Can't Be Recovered

Bitcoin and other blockchain transactions are irreversible by design. Once a transaction is confirmed on the network, no one — not Xverse, not any exchange — can reverse it or force the funds back. Xverse is a non-custodial wallet, which means we never hold your funds and have no ability to cancel, refund, or claw back a confirmed transaction.

If funds were sent to an attacker's address, they are unfortunately unrecoverable. You can report the theft to local authorities and, if the funds moved to a known exchange, to that exchange — but recovery is rarely possible.

Xverse will never DM you for support, and will never ask for your Secret Recovery Phrase.