Topic: How to lose your Bitcoins with CTRL-C CTRL-V - page 2. (Read 4309 times)

Once your OS is compromised, you can't trust anything anymore. Although I haven't seen this happen yet, I can imagine at some point a compromised OS can make your wallet send funds to an address different than the address shown on your screen. A hardware wallet prevents this, assuming you thoroughly check the address on your hardware wallet before sending funds.

Be careful with this tip. If you drag things from a text file, then (depending on the application) it'll remove^[1] it from the source document after pasting. It's pretty easy to then accidentally save the file (some time later) and lose whatever it was that you copied.

Obviously, it's not advisable to keep important stuff in random text files, and I would never do that, but, erm... I have a friend who does it all the time.

[1] You can prevent this from happening by making sure to hold down the CTRL key before dragging.

not sure if this will help in the long term , it could be possible that they already found a way to change that also , i'll stick to the first page and keep deleting some numbers and change them by hand

I would like to add a tip here to avoid copy-paste errors and clipboard highjack scams. Instead of using CTRL+C and CTRL+V to copy paste the Bitcoin address, do this -

Select the address with mouse, then click-and-drag it to where you want to paste it.

This will act like a regular copy-paste, but no clipboard is involved.

That's easy: vanitygen and a list/database.

This is totally an eye opener to me, I must confess I have not come across or experience anything of this nature, but right now with this post I am completely informed. Thanks OP.
  But I would want to know another thing about this copy/paste.
How come the address shows or have the same first few characters and last few characters, is it that they run some codes that automatically figured out the kind of address that has been copied into the clipboard or it randomly creates it's own address that has the same first and last characters?
Please, I will sincerely need answers. Thanks.

Windows 10 is not without its drawbacks, even I have been exposed to clipboard viruses. The way it works seems to be inserted in an app that I'm trying to download. This virus is trying to check the wallet address of the thief in every activity Ctrl + V. Fortunately I am aware of this, even I have not tried the transaction. I was just trying to see the balance balance through Etherscan and it turned out that it was very different that what I did was the ETH address that the app brought. I've tried to dazzle and remove it. But every time I say that computer will appear and the last way is to install my computer.

I once had plagiarism from one of my posts removed from Medium. It's the first time I see it on Reddit.

I tried, but Reddit wants my full name and address. I'm not doxing myself, so I just downvoted and posted a link to my original topic in the comments.

Wow i didn't know that a simple thing as Ctrl-C/Ctrl-V could potentialy make you loss so many. Thanks for the info though! even though i never experienced getting scammed or hacked that way and I'm using Windows 10 right now makes me keep vigilant. 

Someone is farming karma without providing links to the source. Many posts here are the copypasta from reddit but I didn't know it works both ways.

Please report this: https://www.reddit.com/r/CryptoCurrency/comments/pcegqx/how_to_lose_your_bitcoins_with_ctrlc_ctrlv/

This is yet another reason to invest some bucks in a reliable Hardware wallet which allows us to double check not only on the screen of the computer but also on the screen of the hardware itself, which has been isolated from the internet and its nasty malwares.

At this point, a Trezor or a Ledger should be a must have for any serious Hodler, imo. 

I did say inspect first AND last. So a total of 10 characters. ... But yes, your example has the first half the same as another.

Clipboard malware that can do that on the fly (or probably communicates with a server to get an address) is too complex or will get caught or something.

If any malware can create an address with only 8 characters different from the original, within the time it takes for a human to do a copy and then a paste, we've got problems.


The house one is more of, if you are selling the house, it would be the buyer's responsibility to make sure you got paid. I think it came about something else concerning confirmations or blocks. I'd give the keys to the house after seeing the transaction, but I'm pretty sure the new owner wouldn't mind if I waited at least 20 minutes for one or two confirmations.

When paying small amounts, I don't really check anything. I scan the QR-code and pay. But I'm fully aware of the risks.

For larger amounts, I check all characters. That's how I found this Ledger bug:

I don't really get why a house would be different than a car: the house may not go anywhere, but your money will be gone if you lose it because of clipboard malware. And the house won't be yours if that happens.
For any serious amount:

To show the risks of only checking the first characters: all those addresses hold funds:

Sad, just be careful with your downloads and always have a good antimalware software in place!

Its actually quite simple to make mistakes when copying, and pasting anyway. If you need to send to multiple different addresses, and you work in a rather large workspace its simply to miss a key, and assume you actually did copy the newly highlighted address, when in reality you haven't, and because you are familiar with the address itself it will likely go unnoticed.

I get your point, that this is probably enough. Since, the chances of an attacker having a nearly identical address is close to none. However, I personally always check each letter/digit. This is just a habit I've developed, since if you are taking the responsibility of being your own bank, you should probably consider the weight of that. Unfortunately,  because of our culture, and the fact we've started to rely on banks for many years now, we've become acquainted with short cuts, and getting other third parties to assure everything is correct. This develops complacency, which I believe is one of the biggest threats to anyone's security, no matter who you are. In fact, its probably more dangerous as you become more confident, and assured with Bitcoin, since that's basically how complacency works. In the beginning you are probably checking every letter/digit, and your heart is pumping the first time you send that transaction, and check it on the Blockchain to make sure it actually was sent correctly. Then, once you develop a confidence, you start checking less, and less as its a time sink.

However, wallets don't have a built in function to protect you from complacency. Well, they kind of do; some will prompt you whether you mean to send it to x address, but as we are human, and are already susceptible to complacency, most will just click okay without actually checking anything.

With any bitcoin or other altcoin address, I think the threshold to minimally inspect it would be the first 5 and last 5 characters. If you can check more characters or even the whole address, then so much better.

I don't think it's going to "scale" all that much even in the future, maybe if you're dealing with bigger amounts, you could look at 6 characters. And of course, for bitcoin I mean don't include the prefix in the count like 1 or 3 or bc1q.

Buying or selling coffee (or equivalent value), inspect first 5 and last 5, save a little time.
Buying or selling a house, inspect first 6 or 7, save a little time, the house is not going anywhere.
Buying or selling a car, check the whole address before it goes vroom vroom, because it's going down the road away from you ... but you probably have all the details you need, just in case, the payment would just be an irritating hassle if it went to the wrong address.

When it comes to safety, perhaps the best option is not to consider trying something that might be risky. I have recommended him to reinstall his laptop, while all important data is well secured and the problem is resolved. Sometime, bad habit of browsing the web will bring about security issues and we have to protect ourselves with the right steps.

Uh, don't use websites to generate QR codes, and always scan them with another app to verify what you just generated.

I downloaded a bar code generator that can make all sorts of codes offline, and I think for Android anyway, there is QR-Droid or QR Droid Private.

Allow me to edit your quote. See for instance fake QR code generators will steal your Bitcoin.

You shouldn't use a compromised system for so many reasons!

Use QR addresses. No risk at all and no need to reset your operating system.