CoinDesk
Microsoft has disclosed a piece of malware it calls a "crypto clipper" that has been spreading through infected USB drives since February, hijacking Windows-based crypto wallets. Detected by Defender as Trojan:Win32/CryptoBandits, the worm installs via a malicious .lnk shortcut, runs in the background, and waits for fresh USBs to repeat the cycle.
Once inside a machine, the wallet-stealing component polls the Windows clipboard roughly every 500 milliseconds, watching for seed phrases and private keys tied to Bitcoin and Ethereum wallets. When it detects a transfer being staged, the malware silently swaps the recipient address with one controlled by the attacker, so a routine copy-paste can route funds to the wrong wallet without any visible cue. Captured clipboard data is exfiltrated over the Tor network, alongside five screenshots taken ten seconds apart, to obscure the operator's location.
The propagation mechanism is what gives the campaign durability. When a clean USB drive is inserted into an already-infected PC, the worm scans for ordinary documents, Word files, Excel sheets, and PDFs, then replaces each one with an identically named shortcut that re-runs the infection chain. The original documents are pushed out of view, and the cycle repeats whenever that drive lands in another machine.
Why it matters
CryptoBandits is a hybrid threat: it is a stealer, a clipboard hijacker, and a self-propagating worm in a single package. Most wallet-stealing malware arrives through phishing pages or malicious browser extensions, where a vigilant user can often catch the trap. A USB-borne worm bypasses that front door entirely and turns physical media into the delivery vehicle, which is what Microsoft flagged as the unusual behaviour.
The live address-swap is the more dangerous half of the design. Traditional clipboard stealers log seed phrases and private keys and wait for the user to make a transaction they can race. CryptoBandits instead rewrites the destination in real time, which means a user who double-checks the address after pasting still sees the attacker's string, not the one they originally copied.
Frequently asked questions
-
What is Trojan:Win32/CryptoBandits and what does it do?
It is a Microsoft-named crypto-clipping worm that spreads through infected USB drives, monitors the Windows clipboard for wallet seed phrases and private keys, and silently swaps recipient addresses during crypto transfers.
-
How does the malware steal crypto from a wallet?
Once installed, it polls the clipboard roughly every 500 milliseconds for seed phrases and private keys tied to Bitcoin and Ethereum wallets, exfiltrates the data over Tor, and rewrites a copied recipient address with one controlled by the attacker before the user pastes.
-
How does the worm spread from one machine to another?
It propagates via USB drives: when a clean drive is inserted into an infected PC, the worm replaces ordinary documents — Word, Excel, PDFs — with identically named .lnk shortcuts that re-run the infection chain. The originals are hidden, and the cycle repeats whenever that drive reaches another machine.
-
Since when has CryptoBandits been active?
Microsoft said the malware has been spreading via infected USB drives to target Windows users' crypto wallets since February.
-
How can users and security teams defend against CryptoBandits?
Microsoft recommends disabling AutoRun for removable media, blocking .lnk file execution on USB drives via Group Policy, restricting script hosts such as wscript.exe and cscript.exe, watching Defender telemetry for local connections to a Tor proxy on port 9050, and auditing networks against Microsoft's published…
Crypto News
WuBlockchain
TheBlock
Lookonchain
CryptoSlate