Microsoft flags USB-spread malware targeting crypto wallets

What to Know

• Microsoft says a malware strain dubbed a crypto clipper has been spreading through infected USB drives since February.
• The threat is tracked as Trojan:Win32/CryptoBandits and targets Windows users’ crypto wallets.
• The malware can be installed through malicious .lnk shortcut files placed on removable media.
• Once active, it monitors the clipboard for seed phrases, private keys and recipient wallet addresses.
• It can exfiltrate stolen data over the Tor network and silently swap in attacker-controlled destination addresses.
• Microsoft recommends disabling AutoRun, blocking .lnk execution on USB media and tightening script host restrictions.

How the USB infection works

Microsoft says the worm spreads by hiding inside shortcut files on infected removable drives. In some cases, it replaces documents on clean USB media with files that look legitimate but launch the malware instead.

That approach helps the threat move from one Windows system to another when users open what appears to be a normal document or folder shortcut. Because the infection relies on portable storage, it can spread quickly in environments where USB devices are frequently shared.

What the malware does once installed

After it runs, the malware watches the clipboard for sensitive cryptocurrency information such as seed phrases, private keys and wallet addresses. Microsoft says it can also intercept transfer activity and replace the intended destination with an attacker-controlled wallet address.

The threat also sends stolen data out through the Tor network, making detection and attribution more difficult. For crypto users, that means a single copy-and-paste action can become enough to redirect funds if the system is compromised.

Why crypto users should be concerned

Clipboard hijackers are especially dangerous because they exploit a routine part of crypto transfers. Users often copy a wallet address from one app and paste it into another, which gives the malware a chance to silently alter the destination before a transaction is confirmed.

Seed phrases and private keys are even more sensitive. If attackers obtain them, they may be able to take full control of a wallet and drain assets without needing to bypass any additional security steps.

Microsoft’s recommended defenses

Microsoft urged users and administrators to harden systems against removable-media threats. Suggested steps include disabling AutoRun, blocking execution of .lnk files from USB devices and restricting script hosts that can be abused by malware.

The company also advised checking networks and endpoints against published indicators of compromise. For individuals, the safest approach is to avoid using unknown USB drives, verify wallet addresses carefully before sending funds and keep security software fully updated.

Frequently Asked Questions (FAQs)

What is a crypto clipper?

A crypto clipper is malware that monitors copy-and-paste activity and swaps a legitimate cryptocurrency wallet address with one controlled by an attacker.

How does this Windows malware spread?

According to Microsoft, it spreads through infected USB drives that use malicious shortcut files to trick users into launching the worm.

What information does the malware target?

It targets seed phrases, private keys and recipient wallet addresses, which are all highly sensitive pieces of crypto data.

How can users reduce the risk?

Users can reduce exposure by disabling AutoRun, avoiding unknown USB media, checking wallet addresses before sending crypto and keeping endpoint protections enabled.

Photo by cottonbro studio on Pexels