TL:DR:
- The incident resulted in a total loss of $1,200 from a MetaMask wallet.
- The attack was executed through the automatic substitution of the alphanumeric address at the moment of pasting the data.
- April 2026 recorded global losses in the crypto sector of $620 million across 20 distinct incidents.
Recently, a Bybit user lost $1,200 due to a clipboard malware infection that altered the destination address during a transfer from MetaMask.
The incident, which was reported by the security account BalaiBB on X, occurred when the investor made a routine deposit. They copied their Bybit account address and pasted it into their digital wallet, completing the transaction without visible technical errors; however, the funds never arrived. According to the BalaiBB report, the malicious software detected the alphanumeric string and instantly replaced it with one controlled by the attacker.
Yesterday my friend wanted to send $1200 to his bybit account
He copied his bybit wallet address opened his metamask wallet
Pasted the address and click sent
Bro didn't see notification from bybit after 10 minutes for deposit confirmation
He opened bybit still nothing, he
— Bala š½ (@BalaiBB) May 5, 2026
Operation of Data Hijacking on Android
These malicious programs usually operate silently in the background, with a negative impact primarily on mobile devices. According to investigations by the firm CNC Intel, the software waits for the user to interact with wallet addresses to perform the imperceptible data exchange in the clipboard.
Official information reveals that malware strains like Qulab have used fake applications, including fraudulent versions of Tor Browser, to infiltrate terminals. CNC Intel researchers point out that these files are often distributed through unofficial app stores and are configured to run automatically at system startup.
The victim discovered the discrepancy when checking the blockchain transaction history after noticing the deposit was not credited. Data from BalaiBB suggests that the malware does not issue alerts or alter device performance, making its detection prior to execution extremely difficult.
Common Wallet Draining Methods
In addition to clipboard hijacking, security analysts identified other recurring attack vectors in the ecosystem. Fake token approvals stand as one of the most critical threats. In this scenario, a user receives an unknown asset and, when attempting to interact with it on a decentralized exchange (DEX), signs a contract that allows for the total emptying of their funds.
Phishing on decentralized finance (DeFi) sites constitutes another common technique. The use of visually similar URLs, such as incorrect domain extensions, allows attackers to capture wallet connections. According to current trends observed by cybersecurity specialists, the use of bookmarks for official sites is projected as the most effective defense against these fraudulent domains.
Fake technical support and social engineering on platforms like Discord also appear on the risk list. Attackers often compromise moderator accounts to spread links for surprise “mints” or token airdrops. BalaiBB’s documentation underlines that no legitimate custody company or digital wallet ever requests the recovery seed phrase under any circumstances.
In countries like Brazil, the existence of fake app store pages distributing malware specifically designed to intercept USDT transfers has been documented. These attacks target Android users who download tools outside of Google’s official security circuits.
Implications and Prevention Measures
The nature of blockchain transactions implies that, once the operation is confirmed, asset recovery is technically unfeasible. CNC Intel confirmed that tracking funds stolen via this malware is possible on the network, but their restitution is extremely unusual due to the absence of centralized dispute mechanisms.
In April 2026, an increase in sector vulnerability was detected, with cumulative losses above levels seen following the Bybit breach in February 2025. Experts recommend performing full system scans with specialized tools and always verifying the starting and ending characters of addresses before confirming any shipment.
To mitigate future risks, the use of security tools like Malwarebytes and constant auditing of programs that launch with the operating system is suggested.
