Cold-wallet drain via clipboard malware

54% recovered after the attacker attempted to cash out via Coinbase; the remaining ~46% had already been off-ramped via a peer-to-peer market. Closing report preserved the IC3 referral for future action.

Type: Cold-wallet drain via clipboard malware
Jurisdictions: Hong Kong SAR, United States
Claimed loss: $100K – $250K
Duration: 4 months
Legal strategy: On-chain tracing; exchange freezing at Coinbase; IC3 referral

Case narrative

A client using a hardware wallet was compromised by clipboard-hijacking malware on their signing machine: the copy-paste destination address was silently replaced at each send. Losses accrued over four transactions before the pattern was noticed. On-chain tracing identified Coinbase as the downstream off-ramp for the majority of stolen funds; we obtained a Norwich Pharmacal–style preservation from the HK courts and coordinated with Coinbase's US legal team to freeze the identified deposit addresses. An IC3 referral was filed in parallel. Of the four tranches, two were frozen and returned; the remaining two had already moved via a peer-to-peer market and remain unrecovered.

Takeaway

Clipboard-hijacking malware remains a quiet but persistent theft vector, even for users who believe their setup is 'cold'. Speed from detection to exchange freezing is decisive; days-long delays collapse recovery probability.