Microsoft has flagged a new malware strain dubbed CryptoBandits.A that targets cryptocurrency wallets by spreading through USB drives and monitoring clipboard activity for seed phrases and private keys. The malware, active since February 2026, uses malicious Windows shortcut (.lnk) files on removable storage to gain initial access, then exfiltrates stolen secrets via Tor. The combination of USB propagation, clipboard theft, and Tor-routed command-and-control marks a notable escalation in wallet-targeting threats.
How the malware spreads and steals
CryptoBandits spreads when a user plugs in an infected USB drive. The malware scans the drive for document files (.doc, .xlsx, .pdf), hides the originals, and creates new shortcut files with the same names. When a victim clicks the shortcut, it drops obfuscated JavaScript payloads under C:\Users\Public\Documents and sets up scheduled tasks for persistence. One task handles spreading to newly inserted USB drives; another runs the stealer activity. Once active, the malware monitors the clipboard every 500 milliseconds for BIP39 seed phrases, Bitcoin WIF keys, Ethereum keys, and cryptocurrency addresses. It then swaps the copied address with one controlled by the attacker, sometimes matching the first few characters to evade casual checks. Stolen keys or phrases are saved locally and then sent back to the command-and-control server through the Tor network.
What makes this one different
Clipboard-swapping malware isn't new, and neither is USB-based propagation. But Microsoft says the novelty here is the full package: combining USB worm behavior, clipboard theft, and Tor-routed C2 into a single campaign, along with operational guidance for detection. The malware's ability to modify shortcut files to look like legitimate documents makes it particularly sneaky for anyone who still plugs in random drives. The Tor component also makes it harder to trace the attacker's infrastructure.
What Microsoft recommends
The company's advice is straightforward but cuts against how many people handle crypto. Hardware wallets are the first line of defense — they keep private keys offline and out of reach of clipboard snooping. For software wallets, Microsoft urges users to always double-check the full address before sending, not just the first or last few characters. Seed phrases should never be stored digitally, let alone on a machine that might get infected. And for organizations, a strict removable media policy becomes part of custody operations: no USB drives from unknown sources, and treat any drive that's been plugged into an untrusted machine as potentially compromised.
Microsoft's report doesn't name any specific victims or estimate total losses. But the malware has been active for four months, and the technique is practical enough that anyone who stores wallet keys on a computer connected to USB devices should pay attention. The next step is likely for antivirus vendors to update their signatures and for wallet software to add address-confirmation prompts that catch clipboard swaps. For now, the simplest fix is to stop treating USB drives as safe.
