Your wallet was compromised by clipboard malware
When you copy your seed phrase, it sits in your clipboard where malware can read it. Some malware specifically monitors for crypto-related data being copied. Other malware even replaces wallet addresses in your clipboard with the attacker's address.
If you've ever copied and pasted your seed phrase, especially on a computer that might have malware, consider it compromised.
How this attack works
When you copy a seed phrase or private key, it sits in your clipboard in plaintext, where any running program can read it. Info-stealers specifically watch the clipboard for crypto-looking data.
A nastier variant — a clipboard hijacker — watches for wallet addresses and silently replaces what you paste with the attacker's. You copy a friend's address, paste it, and the transaction goes to the thief instead. The swap is easy to miss because the address looks similar at a glance.
Both run quietly in the background, usually arriving with a malicious download or attachment.
Warning signs
- •You copied and pasted your seed phrase or private key on that machine.
- •A pasted address didn't match what you copied, or funds went to an unknown address.
- •You recently installed software from an unofficial source.
What to do right now
- •Never copy/paste seed phrases or private keys
- •Run antivirus/malware scans on your devices
- •Create a brand new wallet with a fresh seed phrase
- •Type seed phrases manually when absolutely necessary
Not sure this is what happened to you?
Run the 2-minute diagnostic