In late 2025, threat intelligence teams uncovered a Discord clipboard hijacker campaign that quietly drained cryptocurrency wallets without deploying ransomware, command-and-control infrastructure, or noisy malware beacons. Instead, attackers exploited trust inside Discord communities, targeting streamers and crypto users where transaction speed matters more than scrutiny.
For CISOs, SOC analysts, and DevOps leaders, this campaign highlights a dangerous reality: low-and-slow malware paired with social engineering can bypass even mature security stacks.
In this article, you’ll learn:
- What a Discord clipboard hijacker is and how it works
- Why it’s so effective against crypto users and streamers
- Technical details of the Pro.exe malware
- Real-world indicators of compromise (IOCs)
- Best practices to detect, prevent, and respond to clipboard-based attacks
What Is a Discord Clipboard Hijacker?
A clipboard hijacker is a type of malware that monitors a user’s clipboard activity and silently replaces copied content—most commonly cryptocurrency wallet addresses—with attacker-controlled values.
When distributed through Discord, these threats gain an additional advantage:
- Built-in trust between community members
- Informal software sharing
- Limited security scrutiny compared to email or corporate tools
Why Clipboard Hijacking Is So Dangerous
Unlike phishing links or ransomware:
- No user interaction is required after installation
- No credentials are stolen directly
- Transactions appear legitimate on-chain
- Funds are irreversibly lost
Key takeaway: If a crypto address is swapped before a transaction is broadcast, no bank, exchange, or SOC can reverse it.
How the Discord Clipboard Hijacker Campaign Works
This campaign, attributed to a threat actor calling itself RedLineCyber, demonstrates a highly targeted and disciplined attack chain.
Step-by-Step Attack Flow
- Trust Building on Discord
- Attackers embed themselves in gaming, gambling, and crypto streaming servers
- Victims are cultivated over weeks or months
- Social Engineering Delivery
- Malware is introduced as:
- “Clipboard protection tools”
- “Streaming utilities”
- “Crypto safety software”
- Malware is introduced as:
- Malware Execution
- Victim runs
Pro.exe, a PyInstaller-packaged Python trojan
- Victim runs
- Clipboard Monitoring
- Clipboard checked every 300 milliseconds
- Wallet addresses detected and swapped in real time
- Crypto Theft
- Funds are redirected to attacker wallets
- No alerts, pop-ups, or transaction errors
Technical Architecture of Pro.exe Clipboard Hijacker
Despite its simplicity, Pro.exe is optimized for stealth and effectiveness.
Malware Packaging and Persistence
- Language: Python 3.13
- Packaging: PyInstaller executable
- Obfuscation: Base64-encoded regex patterns
- Persistence: Windows Registry
Runkey
Upon execution, the malware creates:
%APPDATA%\CryptoClipboardGuard\
This directory stores logs and ensures the hijacker survives system reboots.
Clipboard Monitoring Mechanics
The malware polls the clipboard approximately three times per second, striking a balance between responsiveness and low CPU usage.
Supported Cryptocurrency Wallet Formats
| Cryptocurrency | Address Pattern | Detection Method |
|---|---|---|
| Bitcoin (BTC) | bc1[a-zA-Z0-9]{39,59} | SegWit matching |
| Ethereum (ETH) | 0x[a-fA-F0-9]{40} | Hex format |
| Solana (SOL) | [1-9A-HJ-NP-Za-km-z]{32,44} | Base58 validation |
| Dogecoin (DOGE) | D[5-9A-HJ-NP-U][1-9A-HJ-NP-Za-km-z]{32} | Prefixed Base58 |
| Litecoin (LTC) | ltc1[a-zA-Z0-9]{39,59} | Bech32 |
| Tron (TRX) | T[A-Za-z1-9]{33} | T-prefix Base58 |
When a match is detected, the clipboard content is instantly replaced with an attacker-controlled address.
Why This Discord Clipboard Hijacker Is Hard to Detect
No Command-and-Control Infrastructure
Unlike traditional trojans:
- No outbound network traffic
- No data exfiltration
- No beaconing behavior
This removes entire classes of detection rules from EDR and NDR platforms.
Minimal Behavioral Footprint
- Low CPU utilization
- No privilege escalation
- No lateral movement
VirusTotal results show only ~50% detection coverage, with classifications such as:
- Trojan.ClipBanker
- Trojan-Banker.Win32.ClipBanker
Real-World Impact and Attribution
Blockchain Evidence
Embedded wallet addresses tied to the malware show:
- Successful thefts across multiple blockchains
- Separate wallets per cryptocurrency
- Clear transaction correlation with infected hosts
Broader Criminal Activity
Open-source intelligence links RedLineCyber to:
- Sale of 4,200+ LinkedIn credentials
- Listings on underground marketplaces such as BreachStars
- A diversified cybercrime operation combining:
- Credential harvesting
- Real-time crypto theft
Indicators of Compromise (IOCs)
Security teams should immediately hunt for the following:
| Indicator Type | Value | Context |
|---|---|---|
| SHA-256 | 0d6e83e240e41013a5ab6dfd847c689447755e8b162215866d7390c793694dc6 | Primary Pro.exe sample |
| SHA-256 | d011068781cfba0955258505dbe7e5c7d3d0b955e7f7640d2f1019d425278087 | Related variant |
| File Path | %APPDATA%\CryptoClipboardGuard\activity.log | Clipboard swap log |
| Directory | %APPDATA%\CryptoClipboardGuard\ | Persistence location |
Common Misconceptions About Clipboard Hijackers
“Our EDR Would Catch This”
Not necessarily. Fileless behavior and lack of C2 traffic significantly reduce detection.
“Crypto Attacks Only Target Individuals”
This campaign targeted influencers, streamers, and communities—creating downstream risk for platforms and sponsors.
“Zero Trust Doesn’t Apply Here”
Zero Trust principles absolutely apply—especially application allowlisting and least privilege execution.
Best Practices to Defend Against Discord-Based Clipboard Hijacking
For Security Teams
- Monitor clipboard access anomalies
- Hunt for unauthorized registry
Runkeys - Deploy behavior-based EDR rules
- Integrate MITRE ATT&CK techniques:
- T1115 (Clipboard Data)
For Organizations Handling Crypto
- Enforce wallet address verification workflows
- Use hardware wallets with address confirmation
- Restrict execution of unsigned binaries
For Compliance & Risk Leaders
- Align controls with:
- NIST CSF PR.PT (Protective Technology)
- ISO 27001 A.12 (Operational Security)
- Treat crypto theft as a financial risk, not just an IT issue
FAQs: Discord Clipboard Hijacker Attacks
What is a Discord clipboard hijacker?
A Discord clipboard hijacker is malware distributed via Discord that monitors clipboard activity and replaces copied cryptocurrency addresses with attacker-controlled wallets.
Why are crypto streamers targeted?
They perform frequent transactions in high-pressure environments, making clipboard substitution harder to notice.
Can antivirus software detect clipboard hijackers?
Some can, but detection rates are inconsistent due to minimal malware behavior and lack of network traffic.
How can SOC teams detect clipboard hijacking?
By monitoring clipboard access patterns, persistence mechanisms, and suspicious file paths in user profiles.
Is clipboard hijacking considered ransomware?
No. It’s a form of financial malware focused on silent transaction manipulation rather than encryption or extortion.
Conclusion
The Discord clipboard hijacker campaign underscores a critical shift in modern cybercrime: precision beats volume. By combining social engineering, community trust, and minimalist malware design, attackers can steal real money without triggering traditional defenses.
For security leaders, the lesson is clear:
- Threat detection must extend beyond networks
- Social platforms are now malware delivery vectors
- Crypto security requires both technical and human controls
Next step: Assess your organization’s exposure to clipboard-based threats and evaluate whether your endpoint and user awareness controls are truly fit for today’s attack landscape.
