A single Windows file can carry an entire fraud operation. In June 2026, researchers found one binary holding more than 15,500 attacker wallet addresses, each waiting to quietly replace yours the moment you copy a crypto address.
What changed: a Rust clipper with 15,500 embedded attacker addresses
Check Point Research documented an active Rust-based "crypto clipper" (clipboard-hijacking malware that swaps a copied wallet address for an attacker's at the moment of transfer) in a report published on June 17, 2026 . It targeted both Windows and macOS and was distributed as fake profit tools: Solana/Pump.fun "sniper bots," Aviator-style crash-game predictors, cracked wallet utilities, and "unlockers."
Quick Answer: A 2026 Rust-based crypto clipper, detailed by Check Point Research on June 17, 2026, hides over 15,500 attacker wallet addresses (~15,000 Bitcoin, ~500 Ethereum) inside one Windows binary. It silently swaps the wallet address you copy with the attacker's just before you send.
The Windows payload watches the clipboard for address strings across at least eleven chains: Bitcoin, Ethereum/EVM, Litecoin, Tron, XRP, Cardano, Monero, Dogecoin, Zcash, Stellar, and Bitcoin Cash/Gold. It then substitutes one of its embedded addresses . Microsoft files this category under "cryware."
"Cryware [is] malware that targets non-custodial hot wallets … by clipping and switching clipboard addresses," according to the Microsoft Security Team (source: Microsoft Security Blog).
Before victims ran anything, operators manufactured legitimacy:
- A WordPress phishing site plus GitHub and SourceForge hosting
- YouTube videos with AI-generated presenters and planted crypto-forum posts
- Fake stars, ratings, downloads, and "safe" VirusTotal comments and upvotes
Check Point observed just over 5,000 GitHub downloads (including 1,250+ on macOS) and 44,485 SourceForge downloads that appeared heavily manipulated . Once launched, it persists silently across reboots.
| Trait | Detail |
|---|---|
| Embedded addresses (Windows) | 15,500+ total (~15,000 BTC, ~500 ETH) |
| Windows persistence | Copies to %APPDATA%\silke\silke.exe + Startup-folder shortcut |
| macOS persistence | ~/Library/LaunchAgents plist with a 30-second watchdog |
The .NET loader (for example SniperBot_Premium(Free).exe) drops the Rust clipper and registers a hidden clipboard listener; the macOS variant tells victims to strip quarantine with xattr -cr to bypass Gatekeeper, as reported by The Hacker News and CoinDesk.
Why it matters: on-chain transfers are irreversible
Clipboard swaps are damaging for one reason. Microsoft's "cryware" framework, first detailed on May 17, 2022 and still operative, defines malware that targets non-custodial hot wallets by stealing keys or by switching clipboard addresses . The warning: once funds move on-chain, there is no card-network reversal. A substituted-address send is typically unrecoverable the moment it confirms.
"Unlike credit cards and other financial transactions, there are currently no mechanisms that could help reverse fraudulent cryptocurrency transactions," writes Microsoft Security, in a post on defending hot wallets from cryware (source: Microsoft, 2022-05).
Hardware wallets blunt private-key and seed-phrase theft, but they do not close the clipper gap. If a user approves a swapped destination, the device signs it. The 2021 EthClipper research demonstrated exactly this against Trezor, Ledger, and KeepKey: because long addresses are hard to compare, attackers pick visually similar strings and exploit users who verify only the first and last characters .
The FBI IC3 2025 report logged 181,565 cryptocurrency-tagged complaints and $11.366 billion in associated losses, with crypto investment fraud alone accounting for $7.2 billion . Address-swapping clippers feed directly into those numbers, converting a single careless paste into a confirmed, final transfer.
The bigger problem is in the safety signal itself. The operators manufactured social proof at scale: fake GitHub stars and forks, planted "safe" VirusTotal comments and upvotes, AI-generated YouTube presenters, and placements on legitimate news sites . When reputation signals can be fabricated this thoroughly, "it had good ratings, it looked legit" no longer means much.
What to watch and do next: address verification is the last line
With reputation signals now fabricated at scale, defense shifts to two controllable goals: stop the binary from running, and stop a swapped address from being signed. Start with installation discipline. Do not run "sniper bots," game or crash predictors, cracked wallet tools, Telegram-linked installers, or any GitHub/SourceForge binary showing suspiciously high engagement, and never run a macOS tool that tells you to strip quarantine with xattr -cr to bypass Gatekeeper .
The signing step is the last line of defense. For every send, assume the clipboard is hostile:
- Compare the full destination address on a trusted display, not just the first and last characters, the exact gap the 2021 EthClipper research exploited against Trezor, Ledger, and KeepKey .
- Use saved or whitelisted addresses, and send a small test transaction before any large transfer.
- Never approve a hardware-wallet transaction unless the address and chain shown on the device match the intended recipient.
Keep platform protections current. Microsoft Defender Antivirus already detects the clipboard-theft family Trojan:Win32/ClipBanker, first published February 15, 2018 , and Defender plus SmartScreen help block fake apps and phishing sites . Close the removable-media path too: disable AutoRun/AutoPlay, never plug found or untrusted drives into a wallet machine, and on managed devices use Defender for Endpoint Device Control (Windows 10/11, anti-malware client 4.18.2103.3 or later) .
If you suspect exposure, act in order: run a full scan, inspect the Startup folder and ~/Library/LaunchAgents for persistence, revoke token approvals, and migrate assets to a freshly generated wallet on a clean device if any seed phrase or private key ever touched the suspect machine . Code can lie about its reputation, but the address on your screen is yours to verify. Check every character, every send.
Frequently asked questions
What is a crypto clipper and how does it steal funds?
A crypto clipper is clipboard-hijacking malware that silently swaps a cryptocurrency wallet address while you copy and paste it. It installs a hidden clipboard listener, watches for address-like strings across chains such as Bitcoin, Ethereum, Tron, and XRP, and replaces the copied destination with an attacker-controlled address from an embedded list before you confirm the send. The 2026 Windows sample documented by Check Point Research carried more than 15,500 attacker addresses, roughly 15,000 Bitcoin-related and about 500 Ethereum . Because the address looks pasted normally, most victims notice nothing until funds leave.
Does a hardware wallet protect me from clipboard hijacking?
Only partially. A hardware wallet protects your private keys and seed phrase, but it cannot stop you from approving a substituted destination address. If a clipper swaps the recipient and you confirm the transaction on the device screen without checking the full string, the funds still go to the attacker. The 2021 EthClipper research demonstrated exactly this against Trezor, Ledger, and KeepKey, exploiting the fact that long addresses are hard to compare and many users verify only the first and last few characters . Verify every character against a trusted source, not just the ends.
How did this malware avoid antivirus detection?
Largely by manufacturing legitimacy rather than relying on technical evasion alone. The operators built social proof before victims ran the binaries: a WordPress phishing site, GitHub and SourceForge hosting, AI-generated YouTube presenters, fake stars, forks, ratings, and downloads, plus planted "safe" comments and upvotes on VirusTotal and posts on crypto forums and news sites . The goal was to convince users the fake "sniper bots" and game predictors were trustworthy, so they would override their own caution and execute the file.
Is Microsoft Defender enough to block crypto clippers?
It is necessary but not sufficient. Microsoft Defender Antivirus detects the long-running Trojan:Win32/ClipBanker clipboard-theft family, first documented in February 2018, and SmartScreen helps block known phishing sites and fake apps . But fresh, reputation-laundered samples can slip past signatures, and Microsoft's own cryware guidance stresses that once funds move on-chain there is generally no reversal . Not running suspicious binaries remains the primary control.
What should I do if I already ran one of these fake tools?
Act immediately and assume the clipboard is compromised. Run a full antivirus scan, then inspect persistence locations: on Windows check %APPDATA%\silke and the Startup folder; on macOS check ~/Library/LaunchAgents for unexpected .plist entries . Revoke on-chain token approvals, and if any seed phrase or private key was ever typed, pasted, photographed, or stored on the suspect machine, generate a new wallet on a clean device and move your assets there before doing anything else .
