Microsoft has uncovered a sophisticated piece of malware that targets cryptocurrency holders by intercepting clipboard data and spreading through infected USB drives. Dubbed Trojan:Win32/CryptoBandits, the worm has been active since at least February 2026 and represents a growing threat to both individual investors and institutional crypto custodians. The malware operates as a so-called 'crypto clipper,' a type of Trojan that monitors the Windows clipboard for sensitive information such as seed phrases, private keys, and recipient wallet addresses. When it detects a cryptocurrency transaction, it silently replaces the intended recipient address with one controlled by the attacker, effectively diverting funds into their own wallets.

The discovery highlights the ongoing evolution of crypto-related cybercrime, where attackers increasingly rely on low-tech but highly effective distribution methods like USB drives rather than complex phishing campaigns. Microsoft's security researchers noted that the worm spreads by creating malicious .lnk shortcut files that mimic legitimate documents on clean USB drives. When a user connects an infected drive and clicks on a document, the shortcut instead executes a PowerShell script that downloads and installs the full CryptoBandits payload from a remote server. Once installed, the malware communicates over the Tor network to exfiltrate stolen data and receive commands from its command-and-control infrastructure.

How the Malware Works

The CryptoBandits Trojan is designed to operate stealthily in the background without alerting the user. After initial infection via a USB drive, the worm copies itself to the victim's system and sets up persistence mechanisms such as scheduled tasks or registry modifications. It then hooks into the Windows clipboard monitoring functionality using a technique known as clipboard listening. Every time the user copies text—especially cryptocurrency addresses, private keys, or seed phrase words—the malware logs the data and sends it to the attacker's server over an encrypted Tor connection.

More critically, the malware can perform real-time address replacement. If a user copies a cryptocurrency address to the clipboard (for example, when pasting into a send transaction), the worm checks whether the copied text matches patterns for popular blockchain addresses (Bitcoin, Ethereum, Solana, etc.). If it recognizes an address, it overwrites the clipboard with the attacker's own address. This means that when the user pastes the address into a wallet or exchange interface, they unknowingly send funds to the attacker. The replacement is instantaneous and often goes unnoticed even by experienced users who double-check the address after pasting.

According to Microsoft's analysis, the malware currently supports address replacement for Bitcoin, Ethereum, Litecoin, and several ERC-20 tokens. Future updates could add support for other blockchains, making the threat even more dangerous. The worm also scrapes seed phrase recovery texts from clipboard data, which could allow attackers to gain full control of a user's wallet if they successfully capture all 12 or 24 words.

Propagation Mechanism

What makes CryptoBandits particularly insidious is its propagation method. The worm not only infects systems via USB drives but also actively spreads to other drives by exploiting the Windows AutoRun feature. When a clean USB drive is inserted into an infected computer, the malware automatically copies itself onto the drive. It then replaces every document file on the drive—such as .pdf, .docx, .xlsx—with a identically named .lnk shortcut file. The original files are hidden or moved to a subfolder. When the user later takes the USB drive to another computer and double-clicks any document, they trigger the malicious shortcut rather than opening the actual file. This launches a PowerShell script that downloads the full malware payload and infects the new machine.

This method of spreading is reminiscent of the notorious 'Stuxnet' worm that targeted Iranian nuclear centrifuges in 2010, which also used USB drives to propagate. However, CryptoBandits is far simpler and uses only native Windows components like PowerShell and shortcut files, making it harder for traditional antivirus software to detect without specific signatures. Microsoft has updated its Defender antivirus to detect Trojan:Win32/CryptoBandits, but many users may not have real-time protection enabled or may be using third-party software that has not yet added signatures for this variant.

The malware's reliance on USB drives is a clever choice because many organizations and individuals still routinely exchange data via USB sticks, especially in environments where network access is restricted. IT administrators, journalists, and cryptocurrency traders who move between air-gapped systems are particularly vulnerable. The worm can also be spread through USB drives shared at conferences, workshops, or even sold as promotional items, as attackers could pre-infect drives before distribution.

Historical Context and Prior Threats

Crypto clippers are not new. They have been a fixture of the cryptocurrency threat landscape since at least 2017, when the first variants appeared targeting Bitcoin addresses. Early versions were distributed via phishing emails or malicious downloads disguised as wallet software. However, the combination of clipboard hijacking with USB-driven propagation represents a significant escalation. Previous USB-based malware, such as the 'BadUSB' attacks that reprogram USB controller firmware, required specialized hardware or exploits. CryptoBandits, by contrast, uses only software techniques and takes advantage of default Windows settings like AutoRun, which are still enabled on many systems despite long-standing security recommendations to disable them.

Microsoft's researchers also noted that CryptoBandits appears to be part of a broader campaign targeting cryptocurrency users. The command-and-control servers have been linked to other malicious activities, including credential theft and ransomware deployment. This suggests that the operators behind the malware are sophisticated cybercriminals with multiple revenue streams. The use of the Tor network for exfiltration further complicates takedown efforts, as traffic is anonymized and server locations are hidden.

In addition to direct financial theft, the malware poses a reputational risk to cryptocurrency exchanges and custodians. If a user's wallet is compromised due to clipboard hijacking, they may blame the platform rather than their own device hygiene. This could erode trust in the broader crypto ecosystem, which is already grappling with regulatory scrutiny and market volatility.

Protection Recommendations from Microsoft

Microsoft has issued a series of specific recommendations to mitigate the risk of CryptoBandits infection. First and foremost, users should disable the AutoRun feature for USB drives on all Windows systems. This can be done through the Control Panel under 'AutoPlay settings' or via Group Policy for managed environments. Second, blocking the execution of .lnk files from USB media can prevent the initial infection vector. This can be achieved using Windows Defender Application Control or third-party group policy configurations.

Third, restricting script hosts such as PowerShell and Windows Script Host is recommended, as the malware relies on these to download the payload. For enterprise environments, Microsoft suggests implementing attack surface reduction rules that block Office applications from creating child processes, as well as enabling cloud-delivered protection in Microsoft Defender. Additionally, users should regularly update their operating system and security software to ensure they have the latest signatures.

For cryptocurrency users specifically, Microsoft recommends using hardware wallets that require physical confirmation of transactions, as these bypass the clipboard entirely. Users should also manually verify every recipient address before sending large amounts, ideally using a different device to read the address. Using a dedicated password manager with clipboard history features can help detect unwanted clipboard modifications. Finally, scanning all USB drives with up-to-date antivirus before accessing any files is a crucial habit, especially if the drives have been used on multiple computers.

The company also published a set of indicators of compromise (IOCs), including file hashes, command-and-control URLs, and network signatures that organizations can use to detect infections in their environments. IT administrators are urged to incorporate these IOCs into their security monitoring tools and to investigate any systems that display suspicious behavior such as unexpected PowerShell executions or outbound connections to known Tor exit nodes.

While CryptoBandits is the latest in a long line of crypto-targeting malware, its use of USB propagation marks a worrying trend. As the cryptocurrency market continues to grow—with Bitcoin recently trading around $62,000 and total market capitalization over $2 trillion—the incentives for cybercriminals to develop new attack vectors remain high. The combination of social engineering (through USB sharing) and technical stealth (clipboard hijacking) makes this threat particularly dangerous for both novice and experienced users.

The security community is already analyzing samples of CryptoBandits to develop detection signatures and mitigation strategies. Researchers at several independent labs have confirmed Microsoft's findings and are urging users to adopt the recommended precautions. Meanwhile, law enforcement agencies are investigating the infrastructure behind the malware, though the use of Tor and cryptocurrency payments makes attribution difficult. In the meantime, the best defense remains user awareness combined with proactive security configurations. The golden rule of USB hygiene—never trust an unknown drive—has never been more critical for anyone holding crypto assets.

Source: Coindesk News