Key Points
- Security researchers at Microsoft have uncovered a malicious campaign involving “crypto clipper” malware distributed via compromised USB devices starting in February 2026
- The threat, designated as Trojan:Win32/CryptoBandits, continuously scans the Windows clipboard approximately every half-second
- Attackers exfiltrate cryptocurrency wallet recovery phrases and private credentials through Tor network channels
- The malware performs address substitution attacks, replacing legitimate wallet addresses with attacker-owned alternatives during copy-paste operations
- Security teams should disable AutoRun functionality for external storage devices and prevent .lnk files from executing on removable media
Microsoft’s security division has uncovered a sophisticated malware campaign leveraging USB storage devices to compromise cryptocurrency wallets on Windows-based systems. The malicious activity has been documented since February 2026.
Security researchers have classified this threat as a “crypto clipper,” with Microsoft Defender Antivirus identifying it under the signature Trojan:Win32/CryptoBandits. The tech giant published comprehensive findings about this emerging threat in a recent security advisory.
Infection occurs when users connect compromised USB storage devices to their computers. These devices harbor weaponized shortcut files bearing the “.lnk” extension. Activating these shortcuts triggers the deployment of a self-propagating worm.
Following successful installation, the worm executes dual operations simultaneously. It initiates harvesting of cryptocurrency wallet information while remaining vigilant for newly connected, uninfected USB devices to continue its propagation cycle.
Clipboard Monitoring and Data Interception
The malicious code performs continuous surveillance of the Windows clipboard at approximately 500-millisecond intervals. This system component temporarily stores information during standard copy-and-paste workflows.
Whenever users copy sensitive cryptocurrency data such as wallet recovery seeds or private keys for Bitcoin or Ethereum wallets, the malware immediately intercepts this information. Stolen credentials are transmitted to command-and-control infrastructure via Tor anonymization networks.
Additionally, the malware captures a sequence of five screen captures at ten-second intervals, forwarding these visual records to threat actors for further analysis.
The threat extends beyond simple credential theft. During transaction preparation, when users copy recipient wallet addresses, the worm covertly substitutes the legitimate address with one belonging to the attackers. Victims unknowingly paste compromised addresses, resulting in misdirected cryptocurrency transfers.
Propagation Methods and Defense Strategies
When uninfected USB devices connect to compromised systems, the worm initiates rapid infection procedures. It systematically identifies common file types including Word documents, Excel spreadsheets, and PDF files. The malware replaces genuine files with identically-named malicious shortcuts, ensuring the infected storage device will compromise additional systems.
Microsoft security teams have outlined multiple defensive measures to counter this threat. Organizations should deactivate AutoRun features for external storage media and implement group policy restrictions blocking .lnk file execution from USB sources.
Additional hardening includes restricting Windows Script Host components such as wscript.exe and cscript.exe. Organizations utilizing Microsoft Defender can deploy specialized hunting queries to identify suspicious behaviors, particularly connections to local Tor proxy services on port 9050.
Microsoft has released comprehensive threat intelligence, including cryptographic file hashes and .onion domain identifiers associated with attacker infrastructure, enabling security operations teams to conduct network assessments.
Cryptocurrency platform Binance has amplified Microsoft’s security bulletin, distributing the alert to its user community. Cybersecurity organization NS3.AI has independently verified active infections dating back to February 2026.
