Beginner’s Guide to Web3 Security: Clipboard Risks
Author: Liz & Reborn
Editor: Sherry
Background
In the previous episode of the Beginner’s Guide to Web3 Security: Avoiding Honeypot Scams, we analyzed the honeypot scams. In this issue, we turn our focus to clipboard security.
In many crypto asset theft incidents, the most puzzling question victims often ask is: “I never transmitted my private key online — so how was it stolen?” In reality, the leakage of private keys or seed phrases doesn’t always occur through the cloud or over the internet. It can also happen during operations that appear to be “local and secure.” For example, have you ever copied and pasted your private key or mnemonic phrase? Have you ever saved them in a note-taking app or as a screenshot? These common actions are also entry points that hackers target.
This issue focuses on clipboard security — exploring how it works, how attacks are carried out, and the practical security tips we’ve summarized from experience to help users build stronger awareness of asset protection.
Why the Clipboard Poses a Security Risk
The clipboard is a temporary storage area provided by the operating system for local applications to share data. It is primarily used to store temporary content such as text, images, or file paths, enabling easy copy-and-paste operations across different applications. For instance, when you copy a wallet address, the operating system saves it to the clipboard until it’s either overwritten or manually cleared.
Plaintext Storage:
Most operating systems (such as Windows, macOS, and Linux) do not encrypt clipboard data by default. Instead, it is stored in memory as plaintext.
Access via System APIs:
Most operating systems provide APIs related to the clipboard that allow applications to access its content. This means that if an application — such as a text editor, browser extension, input method, screenshot tool, or even malware — has the necessary permissions, it can silently read or even alter clipboard data in the background.
Moreover, since clipboard content is not automatically cleared, it can remain accessible for extended periods. If a user copies sensitive information but does not promptly overwrite or erase it, malware or third-party applications may have the opportunity to retrieve it.
Some clipboard malware is specifically designed to tamper with addresses. A 2024 report on transnational organized crime in Southeast Asia, published by the United Nations Office on Drugs and Crime (UNODC), noted that one commonly used malware by Southeast Asian crime groups is the “clipper.” This type of malware monitors the clipboard of an infected system and waits to replace wallet addresses during cryptocurrency transactions. If a user unknowingly proceeds with a transaction, the funds are redirected to the attacker’s address. Since crypto wallet addresses are often long, users are unlikely to notice the change.
At this point, it should be clear that the most fundamental way to defend against clipboard attacks is to avoid copying sensitive information and to install reputable antivirus software to prevent malware infections.
The primary purpose of clearing the clipboard is to shorten the exposure time of sensitive information and reduce the risk of it being read by malicious software or other applications. If you accidentally copy sensitive information, promptly clearing the clipboard can lower the likelihood of a leak. A simple method is to immediately copy a large chunk of irrelevant content to “overwrite” the previously copied sensitive information. This can help reduce the chance of it being accessed to some extent.
However, if your device is already infected with malware that steals or tampers with clipboard content, then manually clearing the clipboard becomes much less effective. Such malicious programs can monitor and read data in real-time, making it difficult for manual actions to keep up. Therefore, the best practice is still to avoid copying sensitive information in the first place and ensure your device is secure. If you suspect your device has been compromised, it is recommended to swiftly transfer your assets to a new wallet to prevent further loss.
In addition to the clipboard, sensitive information may also be leaked through the following methods, and users should pay extra attention:
- Photo albums, cloud storage, input methods: Avoid letting private keys/mnemonics go online. This includes but is not limited to photo albums, cloud services, WeChat Favorites, and phone memos. Avoid entering sensitive information using third-party input methods. It is recommended to use the system’s built-in keyboard and turn off the “cloud sync” function. Try not to use copy-paste when filling in private keys or mnemonics.
- Malware risks: Regularly use antivirus software to scan your system and remove potential malware.
- Browser extension permission issues: Disable unnecessary browser extensions. If you are concerned about the permission risks of a certain extension, you can install it but avoid using it immediately. Check the extension ID, locate its path on your computer, and find the
manifest.jsonfile in the root directory of the extension. You can then send the file content to an AI tool for a permission risk analysis. If you’re practicing a more isolated security approach, consider enabling unknown extensions in a separate Chrome profile to at least contain potential damage. - Transfer address tampering risk: When performing cryptocurrency transactions or similar operations, always double-check the wallet address to avoid transferring funds to the wrong address due to clipboard tampering.
Clipboard Clearing Guide
Below are some simple methods for clearing the clipboard on macOS, iOS, Android, and Windows. You can try them out in practice:
- macOS only stores the current clipboard content and does not keep a history. Simply copying a piece of irrelevant content will overwrite any previously copied sensitive data.
- iOS also stores only the current clipboard content. In addition to copying irrelevant content to overwrite it, users can also create a Shortcut to clear the clipboard and add it to the home screen for easier access.
- Windows 7 and earlier versions only store the current clipboard content without keeping a history. You can indirectly clear the clipboard by copying a piece of irrelevant content to overwrite the original data.
- Windows 10 / 11 (if Clipboard History is enabled): Press Win + V to view clipboard history, then click the “Clear all” button in the top right corner to delete all history records.
- On Android, clipboard history usually refers to the clipboard records saved by the input method. Many Android devices provide a clipboard history feature within the keyboard app. You can access the clipboard management interface in the input method and manually delete any unnecessary records.
In short, if the system does not save clipboard history, simply copying new content to overwrite it is enough. If the system does keep clipboard history (such as Windows 10/11 or some Android devices), you can manually clear the history using the methods mentioned above.
Conclusion
The clipboard is a frequently overlooked yet high-risk channel for data leakage. We hope this article helps users re-evaluate the security risks associated with copy-paste actions and understand that “local operations do not equal absolute safety.” Security is not just a technical issue — it’s also a matter of behavior and habits. Only by staying vigilant in daily operations, raising security awareness, and implementing basic protection measures can you truly safeguard your assets.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
