If you copy the wallet address to send crypto and, when pasting, the address appears different, your device is likely infected by a __clipper malware__. This type of malicious program swaps the copied address with the attacker's address. **Blockchain transactions are irreversible:** once confirmed, Picnic cannot reverse, redirect, or recover the funds.

## What is clipper malware (and why the address changes)

The __clipper__ monitors your device's clipboard (the “copy/paste”). When it detects a crypto address, it **silently replaces** it with the criminal's address. This can happen in repackaged/fake apps (including messaging apps like Telegram and WhatsApp), extensions, and programs for mobile and computer. In some cases, the package comes with __RATs__ (Remote Access Trojans), which give the attacker full control of the device.

## Warning signs

-   You copy an address and, when pasting, some characters change.
    
-   The sent transaction does not reach the intended recipient.
    
-   Recent installation of unofficial apps, “unknown” extensions, or “modified” versions.
    
-   Slower device, strange pop-ups, or unusual permission requests.
    

## What to do **before** sending crypto (quick checklist)

1.  **Copied? Check.** Compare the address characters when pasting.
    
2.  **Validate at the destination.** If possible, use a QR code or test with a small transfer.
    
3.  **Use official channels.** Download apps only from official stores (Google Play / App Store) and keep your system updated.
    
4.  **Be wary of links.** Do not click on links from emails, social media, or messages that promise “bonuses” or request file installations.
    

## Already sent?

-   **Once confirmed on the blockchain, the transaction is final.**
    
-   Picnic **cannot cancel, reverse, change the recipient, or recover** funds sent to an incorrect or malicious address.
    

## Immediate steps

1.  **Stop transacting** until you review the device.
    
2.  **Disconnect from the internet** (when possible) and **securely back up** what is necessary.
    
3.  **Remove unknown apps/extensions**.
    
4.  **Run an updated antivirus/antimalware** and perform a full scan.
    
5.  **Update the operating system and browsers.**
    
6.  **Change passwords** for your emails and critical services (enabling 2FA where available).
    
7.  **Clean reinstallation** (if the antivirus indicates the threat persists).
    
8.  **Only then** resume transacting (always starting with a small test and checking addresses when pasting).
    

## Continuous best practices

-   **Always verify addresses** (beginning and end) when pasting.
    
-   **Use 2FA** on relevant accounts and keep **antivirus active and updated**.
    
-   **Log out** of financial platforms when finished.
    
-   **Keep your personal data private** and **physically protect** your devices.
    

## Frequently Asked Questions

**Can Picnic support identify the hacker?**  
We do not have visibility beyond what is public on the blockchain. Support can guide security measures, but **cannot recover funds**.

**Can I use a QR code to avoid errors?**  
It helps reduce the risk of manipulation during copy/paste. Still, **check the address** displayed before confirming.