What is CryptoBandits malware?

CryptoBandits is a hacking group Microsoft tracks that uses USB-borne malware to infect PCs, then tampers with browser extensions tied to crypto wallets to steal funds.

Why is the browser extension layer a weak point for crypto?

Browser extensions run inside the same process a malware infection can modify, so any code tampering with the extension can rewrite transaction details before signing.

How much was stolen from personal crypto wallets in 2025?

Microsoft-cited data puts personal wallet hacks at $713 million in 2025, with browser-extension attacks a growing share of that total.

How can crypto users protect against CryptoBandits?

Avoid unknown USB drives, audit installed browser extensions, and prefer hardware wallets that sign transactions offline rather than relying on browser-based hot wallets.

🩸BEARISH 2h ago

CryptoSlate

Microsoft Warns CryptoBandits Malware Hijacks USB Drives for Crypto

Microsoft's threat team linked the campaign to a hacking group it tracks as CryptoBandits, which uses poisoned USB sticks to seed malware that rewrites browser extensions for wallet theft.

Zipp Editorial Aggregated from CryptoSlate

Microsoft Warns CryptoBandits Malware Hijacks USB Drives for Crypto

Microsoft's threat intelligence team warned that a hacking group tracked as CryptoBandits is using USB drives as the initial infection vector in a campaign aimed at draining crypto wallets. The malware rewrites browser extensions the victim relies on, turning trusted wallet tools into siphon points for funds.

Why it matters

Personal wallet hacks totalled $713 million in 2025, and the share routed through browser extensions keeps climbing. The campaign is a reminder that the weak layer is rarely the user's seed phrase, and more often the browser surface that sits between the user and on-chain funds. USB-borne infection is an old technique; pairing it with browser-extension tampering is what makes this one worth watching.

Market impact

For self-custody users, the read is operational: hardware wallets already sign transactions offline, but extensions and hot wallets still rely on browser trust. Watch for Microsoft Defender and other endpoint tools to flag the specific extension-tampering behaviour, and for wallet vendors to publish guidance on extension pinning and revocation checks.

#WalletSecurity #CryptoBandits #BrowserExtension #Malware

Frequently asked questions

What is CryptoBandits malware?

CryptoBandits is a hacking group Microsoft tracks that uses USB-borne malware to infect PCs, then tampers with browser extensions tied to crypto wallets to steal funds.
How does CryptoBandits steal from crypto wallets?

The malware rewrites browser extensions the victim relies on, turning trusted wallet tools into siphon points when the user signs a transaction.
Why is the browser extension layer a weak point for crypto?

Browser extensions run inside the same process a malware infection can modify, so any code tampering with the extension can rewrite transaction details before signing.
How much was stolen from personal crypto wallets in 2025?

Microsoft-cited data puts personal wallet hacks at $713 million in 2025, with browser-extension attacks a growing share of that total.
How can crypto users protect against CryptoBandits?

Avoid unknown USB drives, audit installed browser extensions, and prefer hardware wallets that sign transactions offline rather than relying on browser-based hot wallets.

Source attribution

Aggregated from CryptoSlate · Verified · Last refreshed 2h ago

Open original →

BoE Drops Individual Stablecoin Caps in Final UK Policy

Bitcoin Holds $64K as Spot ETF Outflows Extend to Sixth Week

Bitwise launches crypto model portfolios for retail advisors