If you copy the wallet address to send crypto and, when pasting, the address appears different, your device is likely infected by a clipper malware. This type of malicious program swaps the copied address with the attacker's address. Blockchain transactions are irreversible: once confirmed, Picnic cannot reverse, redirect, or recover the funds.
What is clipper malware (and why the address changes)
The clipper monitors your device's clipboard (the “copy/paste”). When it detects a crypto address, it silently replaces it with the criminal's address. This can happen in repackaged/fake apps (including messaging apps like Telegram and WhatsApp), extensions, and programs for mobile and computer. In some cases, the package comes with RATs (Remote Access Trojans), which give the attacker full control of the device.
Warning signs
You copy an address and, when pasting, some characters change.
The sent transaction does not reach the intended recipient.
Recent installation of unofficial apps, “unknown” extensions, or “modified” versions.
Slower device, strange pop-ups, or unusual permission requests.
What to do before sending crypto (quick checklist)
Copied? Check. Compare the address characters when pasting.
Validate at the destination. If possible, use a QR code or test with a small transfer.
Use official channels. Download apps only from official stores (Google Play / App Store) and keep your system updated.
Be wary of links. Do not click on links from emails, social media, or messages that promise “bonuses” or request file installations.
Already sent?
Once confirmed on the blockchain, the transaction is final.
Picnic cannot cancel, reverse, change the recipient, or recover funds sent to an incorrect or malicious address.
Immediate steps
Stop transacting until you review the device.
Disconnect from the internet (when possible) and securely back up what is necessary.
Remove unknown apps/extensions.
Run an updated antivirus/antimalware and perform a full scan.
Update the operating system and browsers.
Change passwords for your emails and critical services (enabling 2FA where available).
Clean reinstallation (if the antivirus indicates the threat persists).
Only then resume transacting (always starting with a small test and checking addresses when pasting).
Continuous best practices
Always verify addresses (beginning and end) when pasting.
Use 2FA on relevant accounts and keep antivirus active and updated.
Log out of financial platforms when finished.
Keep your personal data private and physically protect your devices.
Frequently Asked Questions
Can Picnic support identify the hacker?
We do not have visibility beyond what is public on the blockchain. Support can guide security measures, but cannot recover funds.
Can I use a QR code to avoid errors?
It helps reduce the risk of manipulation during copy/paste. Still, check the address displayed before confirming.