clipboard hijacking resulting in stolen crypto

aDownwardSpiral · n00b Joined: 17 Jul 2024 Posts: 1

I recently just lost crypto due to my clipboard somehow replacing the correct wallet address I was sending to with a very similar wallet address presumably controlled by a hacker. I was running a fully up to date gentoo box at the time of the attack, and a clamscan of my entire system resulted in 0 detected infected files. I am quite curious as to how this could have happened and would like to investigate further. Any advice on how to investigate deeper, or any theories on how this could have occurred would be greatly appreciated.

For more details, I was using the monero-gui wallet downloaded from getmonro.org. I initially sent a very small amount of monero to a wallet, and the funds were received with no issues. However about 10 minutes later I decided to send a larger amount of monero to the same wallet, but when copy and pasting the address this time somehow the address of the wallet got slightly altered, with the first 10 characters and last 8 characters being altered. The address also changed from a 106 character integrated address to a 95 character raw address. I obviously should have triple checked the address before sending, but was not expecting such an occurrence to happen.

kgdrenefort · Posted: Sat Aug 31, 2024 5:19 am Post subject:

Hello,

ClamAV isn't for your own security on Linux, it match against Windows virus. Plus it's not, per-se, an anti-virus but an anti-virus toolkit.

The best fails are the kind of yours, human error, we all fail at some level one day and lost stuff (money, datas, access…). Sorry for you. Hope it wasn't that much tho.

I really don't know how you were infected, if that's the case, but consider these always-good-security-advice :

- Gentoo, Hardened, is a plus but won't have helped you I guess here
- Close useless services and ports such as SSH (22) if not needed
- Avoid experimental release of software, specially some as web browser
- Keep up-to-date about GLSA alert on Gentoo
- Avoid crypto on your main box, I guess, and use a virtual machine or another computer for such things. Like a Raspberry PI with a simple WM running your wallet… It's enough.
- Don't be paranoid and don't cipher everything, you'll lost so much time for 0 more security. It's useful if you get robbed. If I want that hard the content, I'll just cut each of your fingers until you gave me that password, anyway. Save me, save you, some time :twisted:

!!!

Regards,
GASPARD DE RENEFORT Kévin
_________________
Traduction wiki, pour praticiper.
Custom logos/biz card/website.

sMueggli · Guru Joined: 03 Sep 2022 Posts: 446

Hu · Administrator Joined: 06 Mar 2007 Posts: 22404

Browsers are infamous for their terrible security practices, particularly around JavaScript. My guess would be that the OP did something in some web page that the browser interpreted as permission to update the clipboard contents, and that update replaced the good address with the bad one.

I would also assert that this is a minor failing of the tool that was used to send the crypto-currency. In my opinion, it ought to have a mechanism to warn the user that the entered address is not one that was ever used before, and ask the user to confirm that this never-before-used address is the intended one. If it had such a mechanism, it would have triggered a warning here, since the first (good) send would not have caused the second (bad) one to be treated as trusted.

sam_ · Developer Joined: 14 Aug 2020 Posts: 1867

I would concur with Hu's assessment here. Knowing the tabs you had open at the time would help. It's possible that perhaps one of the sites had been infected with some JS which inspected the clipboard for something which looks like a wallet address and substitutes it if it finds one.

EDIT: I should say that I also suspect it's unlikely it was outside of the browser given it could just pretend you sent it to the right address, even.

kgdrenefort · Posted: Sun Sep 01, 2024 7:39 am Post subject: