This issue focuses on clipboard security, exploring its principles, attack methods, and the preventive tips we’ve gathered through practice, helping users build stronger asset protection awareness.

Background

In the previous Web3 Security Beginner’s Guide, we analyzed the Pi Xiu scam. This issue focuses on clipboard security.

In many cryptocurrency theft cases, one of the most confusing aspects for victims is often, “I never transmitted my private key online, how was it stolen?” In fact, private key/seed phrase leaks don’t always happen through cloud or online transmission; they can also occur during seemingly “local, secure” actions. For example, have you ever copied and pasted your private key/seed phrase? Or saved it in a note or screenshot? These common actions are also the entry points that hackers target.

This issue will focus on clipboard security, exploring its principles, attack methods, and the preventive tips we’ve gathered through practice to help users build stronger asset protection awareness.

Why Clipboard Poses a Risk

The clipboard is a temporary storage space provided by the operating system for local applications to share data. It is mainly used to store temporary data (such as text, images, file paths, etc.) to allow easy copying and pasting between different applications. For example, when you copy a wallet address, the operating system stores that address in the clipboard until it is overwritten or cleared by new content.

• Plaintext storage: Most operating systems (such as Windows, macOS, and Linux) do not encrypt clipboard data by default, but instead store it in plaintext in memory.
• System API access: Most operating systems provide clipboard-related APIs that allow applications to access the clipboard. This means that if an application (such as a text editor, browser extension, input method, screenshot tool, or even malicious software) has the necessary permissions, it can silently read or even tamper with data in the background.

Furthermore, because the clipboard content is not automatically cleared by default, it may remain accessible for a long time. If a user copies sensitive information but does not immediately overwrite or clear it, malicious software or third-party applications can have the opportunity to read this content.

Some clipboard malware is specifically designed to tamper with addresses. The 2024 UNODC report on Southeast Asian transnational organized crime mentions that one commonly used malware in Southeast Asia is called a clipboard hijacker. This software monitors the clipboard of infected systems, waiting for an opportunity to replace addresses in cryptocurrency transactions. Once the victim unknowingly performs a transaction, funds are transferred to the attacker’s address. Since cryptocurrency wallet addresses are usually long, users may not notice the change in the receiving address.

(https://www.unodc.org/roseap/uploads/documents/Publications/2024/TOC_Convergence_Report_2024.pdf)

At this point, it should be clear that the most fundamental way to prevent clipboard attacks is to avoid copying sensitive information and to install professional antivirus software to protect against malware infiltration.

The main purpose of clearing the clipboard is to shorten the exposure time of sensitive information and reduce the risk of being read by malware or other applications. If you accidentally copy sensitive information, clearing the clipboard in time can lower the likelihood of leakage. A simple method is to immediately copy a large amount of irrelevant content to “flush” the previously copied sensitive information, which can reduce the chances of it being read to some extent.

However, if your device has already been infected with malware that steals or alters clipboard content, manually clearing the clipboard will have limited effectiveness. These malicious programs can monitor and read data in real-time, making it difficult for manual clearing to keep up with their actions. Therefore, the best approach is to avoid copying sensitive information from the outset and ensure the security of your device. If you suspect your device has been infected, it is recommended to quickly transfer assets to a new wallet to prevent further loss.

In addition to the clipboard, sensitive information may also be leaked through the following methods, so users should pay extra attention:

• Albums, cloud storage, input methods: Avoid uploading private keys/seed phrases to the cloud, including but not limited to albums, cloud storage, WeChat favorites, phone memos, etc. Avoid entering sensitive information in input methods. It is recommended to use the system’s built-in input method, disable the “cloud sync” function of the input method, and avoid entering private keys/seed phrases by copying and pasting.
• Malware risk: Regularly scan the system with antivirus software to detect and remove potential malware.
• Browser extension permissions: Disable unnecessary browser extensions. If you’re concerned about the permission risks of an extension, after installing it, you can first avoid using it, check the extension ID, search for its local path, find the manifest.json file in the extension’s root directory, and send the file content to AI for a permission risk analysis. If you’re cautious, consider enabling unfamiliar extensions in a separate Chrome profile to contain potential malicious actions.
• Transfer address tampering risk: When making cryptocurrency transfers or similar operations, always carefully verify the wallet address to avoid transferring funds to the wrong address due to clipboard tampering.

Clipboard Clearing Tutorial

Here are some simple methods to clear the clipboard on macOS, iOS, Android, and Windows that you can try:

macOS only stores the current clipboard content and does not record history. You can simply copy some irrelevant content to overwrite sensitive history. iOS also only stores the current clipboard content. In addition to copying irrelevant content, users can create a shortcut and add the clipboard-clearing command to the home screen, making it more convenient to clear the clipboard.

(https://x.com/0xBeyondLee/status/1855630836118467028)

Windows 7 and earlier versions only store the current clipboard content without history. You can overwrite the original content by copying some irrelevant content, which effectively clears the clipboard.

Windows 10/11 (if “Clipboard History” is enabled): Press Win + V to view the clipboard history, and click the “Clear All” button in the top-right corner to delete all history.

On Android, clipboard history typically refers to the clipboard history recorded by the input method. Many Android devices offer a clipboard history feature in the input method, allowing users to enter the clipboard management interface of the input method and manually clear unwanted records.

In short, if the system itself does not save history, simply copying new content to overwrite the old content will suffice. If the system has clipboard history (such as Windows 10/11 or some Android devices), follow the methods mentioned above to manually clear the history.

Summary

The clipboard is often an overlooked but frequent source of data leakage. We hope this article helps users reassess the security risks of copying and pasting, and realize that “local operations do not equal absolute security.” Security is not just a technical issue; it is also a matter of behavioral habits. Only by staying vigilant, enhancing security awareness, and implementing basic protective measures in daily operations can we truly safeguard our assets.

Disclaimer:

1. This article is reprinted from [Techflow]. The copyright belongs to the original author [Liz & Reborn]. If you have any objections to the reprint, please contact the Gate Learn team. The team will handle it as soon as possible according to relevant procedures.

2. Disclaimer: The views and opinions expressed in this article represent only the author’s personal views and do not constitute any investment advice.

3. Other language versions of the article are translated by the Gate Learn team. The translated article may not be copied, distributed or plagiarized without mentioning Gate.io.