Loading prices…
Zipp Zipp Advertise
Sign up Sign in
🩸BEARISH WuBlockchain

Microsoft flags Tor-based crypto clipper hitting Windows users

The threat spreads offline via USB and .lnk shortcuts, then runs bundled Tor to reach a hidden-service C2 — clipboard swap plus seed-phrase theft is the actual loss vector, not just an address swap.

Microsoft Threat Intelligence and Microsoft Defender Experts said they identified a Windows-based crypto clipper that has been hitting users since February 2026. The malware spreads through malicious .lnk shortcuts and USB drives, launches a bundled Tor proxy via Windows Script Host and ActiveX, and connects to hidden-service command-and-control servers.

Why it matters

The operator toolkit goes well beyond the classic address-swapper trick. Microsoft said the malware can steal clipboard data, exfiltrate seed phrases and private keys, capture screenshots, and rewrite destination wallet addresses in the clipboard — meaning a single infected machine can drain hot wallets, software wallets, and any workflow that pastes an address before sending. Microsoft Defender Antivirus detects the family as Trojan:Win32/CryptoBandits.A.

Market impact

The offline vector — USB and shortcut files rather than phishing landing pages — is the part the security community will study closest, since it sidesteps the email and browser protections most retail users rely on. For investors, the practical read is unchanged: keep meaningful balances off internet-connected machines, verify addresses character-by-character on a hardware wallet screen, and treat any Windows host that touches seed phrases as cold-storage-compromised by default.

Stay safe

Microsoft Defender detects and quarantines this family automatically, but offline-spreading clipper malware tends to linger on under-patched machines. Run a full Defender scan, audit any USB drives that have touched unknown hosts, and assume any machine used to generate or paste a seed phrase is no longer safe for that purpose.

#CryptoSecurity#Malware#Windows#WalletTheft

Frequently asked questions

  1. What is Trojan:Win32/CryptoBandits.A?

    It is the Microsoft Defender detection name for a Windows-based crypto clipper family active since February 2026. It spreads via malicious .lnk shortcuts and USB drives, runs a bundled Tor proxy, and connects to hidden-service C2 servers.

  2. How does this clipper malware actually steal crypto?

    It can exfiltrate clipboard data, seed phrases, and private keys, capture screenshots, and rewrite destination wallet addresses in the clipboard so a single infected host can drain hot wallets end to end.

  3. Why is the USB and .lnk shortcut spread vector significant?

    It sidesteps the email and browser protections most retail users rely on. The malware reaches a host offline, so standard phishing defenses do not catch the initial infection.

  4. Does Microsoft Defender protect against this clipper?

    Yes. Microsoft Defender Antivirus detects the family as Trojan:Win32/CryptoBandits.A and quarantines it automatically. A full Defender scan will catch infections on a host.

  5. What should crypto holders do if a Windows machine is infected?

    Audit any USB drives that touched the host, run a full Defender scan, and treat any machine used to generate or paste a seed phrase as cold-storage-compromised. Move funds to a fresh wallet whose seed has never lived on the affected machine and rotate addresses.

Source attribution
Aggregated from WuBlockchain · Verified · Last refreshed 7h ago
Open original →

More from Security

Stories our editors think pair well with this one.

Older in Security

Catch up on earlier coverage from this beat.