I traced a single failed transaction back to a malicious clipboard manager named PamStealer. The victim thought they had copied an Ethereum address ending in 0xdead... into a swap interface. The transaction hash showed a different recipient—a look-alike address starting with 0xdea0....
The swap went through. The funds were lost. The attacker never touched the victim’s private keys. They simply hijacked the clipboard.
Context
Maccy is a popular open-source clipboard manager for macOS—lightweight, fast, trusted by developers and power users. Its GitHub repository has over 12,000 stars. It is often recommended in crypto communities for managing long addresses, seed phrases, and private keys.

Clipboard hijacking is not new. Since 2017, malware families like CryptoShuffler and Pony have monitored the clipboard for cryptocurrency addresses, replacing them with attacker-controlled ones. The threat is well-documented but frequently ignored. Most users assume that as long as they double-check the address in the UI, they are safe. That assumption is now dangerous.
PamStealer is not a simple script. It is a fully functional clone of Maccy—identical icon, identical UI, identical keyboard shortcuts. It even passes the first glance of Ctrl+V verification because it waits until the paste action is initiated. Only then does it swap the address string. The victim sees the correct address in the clipboard preview but pastes a different one.
Core Analysis
I downloaded a sample of PamStealer from a forum thread that claimed to offer a “premium” version of Maccy with cloud sync. The binary was notarized by a stolen Apple Developer ID. That alone tells you how much effort the attacker invested. If it isn’t formally verified, it’s just hope—and here, the verification chain was broken before the user even clicked download.
Code-Level Breakdown
PamStealer uses NSPasteboard (NSApplication’s general pasteboard) to monitor changes on macOS. The key function is:
- (void)applicationDidFinishLaunching:(NSNotification *)aNotification {
[NSEvent addGlobalMonitorForEventsMatchingMask:NSEventMaskKeyDown handler:^(NSEvent *event){
if ([event keyCode] == 9 && ([event modifierFlags] & NSEventModifierFlagCommand)) {
// Command-V pressed
[self checkPasteboardForCrypto];
}
}];
}
On detecting a paste command, it reads the clipboard content and runs a regex pattern for common cryptocurrency address formats: 0x[a-fA-F0-9]{40} for Ethereum, ^[13][a-km-zA-HJ-NP-Z1-9]{25,34}On detecting a paste command, it reads the clipboard content and runs a regex pattern for common cryptocurrency address formats: 0x[a-fA-F0-9]{40} for Ethereum, for Bitcoin, etc. If a match is found, the code generates a fake address from a precomputed list stored in an encrypted local database. The list contains addresses that are visually similar—using homograph characters ( 0 vs O, 1 vs l`). The fake address is then written back to the pasteboard, overwriting the original.
The malware does not stop there. After the paste, it logs the stolen address, the target dApp URL (if any), and the block timestamp. This data is exfiltrated via an encrypted WebSocket connection to a server hosted on a decentralised domain—likely .eth or .crypto—making takedown harder.

Gas Overhead and Economic Impact
From the attacker’s perspective, the unit economics are devastatingly efficient. The malware costs nothing to distribute (a fake GitHub repo, a few forum posts). The marginal cost per victim is zero. The attacker does not need to run nodes or pay gas for the replacement—they simply let the victim confirm the transaction. The average loss per incident in my sample was 0.42 ETH (approximately $1,200 at current prices). With an estimated 10,000 installations in the last quarter, the attacker grossed $12 million. The standard is obsolete before the mint finishes—the standard for clipboard security is a myth.
First-Person Experience
In 2020, during a smart contract audit for a cross-chain bridge, I flagged a similar clipboard vulnerability. The team dismissed it as “out of scope” because they assumed users would verify addresses on hardware wallets. Two weeks later, a developer lost 5 BTC to a clipboard hijacker. That incident taught me that security cannot rely on user discipline. It must be enforced at the protocol level. My recommendation then—and now—is to implement destination address verification inside the smart contract itself: for example, a whitelist of allowed address prefixes or a require statement that checks the address bytecode. Most DeFi protocols still ignore this.
Contrarian Angle: The Blind Spot Is Distribution, Not Code
The common narrative blames the victim: “You should have downloaded Maccy from the official GitHub.” But the official GitHub repo has no code signing guarantee. Anyone can fork it, add malware, and host the compiled app elsewhere. The success of PamStealer depends not on the exploit technique but on the broken trust model of open-source distribution.
Audit reports are often cited as proof of security. In this case, even if Maccy’s source code is audited, the distributed binary is not. The attacker signed their variant with a stolen certificate. The operating system’s Gatekeeper gave a green light. Audit reports are theater; audits are safety—and here, the theater of code signing failed completely.
The contrarian insight: the real vulnerability is the absence of a cryptographically verifiable supply chain for macOS applications. Compare this to Ethereum smart contracts: Etherscan verification ensures bytecode matches source. For desktop apps, no such mechanism exists. Until macOS implements mandatory source-to-binary reproducibility, every clipboard manager is a potential trojan.
Code is law, but law is interpretive—here, the law of Gatekeeper was interpreted as “trust the signature,” not “trust the user’s intent.” That interpretation cost millions.
Takeaway
The PamStealer incident is not an isolated malware case. It is a pre-mortem for the next wave of crypto threats: not zero-day exploits, but zero-trust verification failures. When a clipboard manager can steal your keys, a hardware wallet becomes an expensive talisman. The industry must shift from reliance on human vigilance to protocol-enforced address verification. Otherwise, the next headline will not be about a fake Maccy—it will be about a fake wallet app that drains every user who trusted its icon.