Microsoft researchers have uncovered a new malware strain that spreads through USB drives and hijacks cryptocurrency transactions by tampering with the Windows clipboard. The worm installs itself via infected shortcut files, then monitors clipboard activity for wallet addresses and private keys. When it detects a transfer, it replaces the recipient's address with the attacker's.
USB stick worm targets crypto users
The malware spreads through physical USB drives, making it a low-tech vector for a high-tech theft. Once a user plugs in an infected stick, the worm hijacks shortcut (.lnk) files to drop its payload onto the system. That payload then runs silently in the background. Microsoft's security team flagged the strain this week, though they haven't named it publicly yet.
Clipboard snatching and address swaps
The worm has a two-pronged approach. First, it harvests private keys from the Windows clipboard — a direct grab at the most sensitive crypto asset. Second, it watches for outgoing transactions. When the user copies a destination wallet address, the malware swaps it for one controlled by the attacker. The result: funds sent to the wrong wallet, and the victim may not notice until it's too late.
No patch yet — what users can do
Microsoft hasn't released a security update targeting this specific worm. That leaves users reliant on good habits. Avoid plugging in unknown USB drives — especially ones found in parking lots or handed out at conferences. Double-check every wallet address before hitting send, and consider using hardware wallets that don't rely on clipboard copy-paste. The discovery is a reminder that even in 2026, the oldest attack methods — USB sticks — can still deliver the newest forms of crypto theft.
