South Minneapolis News

collapse
Close menu
×
Home / Daily News Analysis / Microsoft found malware that hijacks crypto wallets and spreads through USB sticks

Microsoft found malware that hijacks crypto wallets and spreads through USB sticks

Jun 23, 2026  Twila Rosenbaum  3 views
Microsoft found malware that hijacks crypto wallets and spreads through USB sticks

Microsoft Reveals New Crypto Clipper Worm Spreading via USB

Microsoft security researchers have identified a new strain of malware that uses USB drives to propagate and target cryptocurrency wallets. Dubbed Trojan:Win32/CryptoBandits, the malware operates as a 'crypto clipper' — intercepting clipboard data to replace wallet addresses and hijack transactions. The worm has been active since February 2026 and has been observed spreading through infected removable media, posing a significant risk to Windows users who handle cryptocurrency.

How CryptoBandits Works

The malware initially infects a system through a malicious .lnk shortcut file. Once executed, it installs a worm component that runs in the background. The core functionality revolves around monitoring the Windows clipboard for sensitive cryptocurrency-related data, including seed phrases, private keys, and recipient wallet addresses. When a user copies such information — for example, when initiating a crypto transfer — the malware silently replaces the intended address with an attacker-controlled wallet address. This alteration happens before the user pastes the data, making it extremely difficult to detect.

According to Microsoft’s analysis, the exfiltration of stolen data occurs over the Tor network, providing anonymity to the attackers. The malware also harvests private keys and other credentials from the clipboard, which can be used to drain victims’ wallets if they are not promptly moved. The combination of clipboard interception and Tor-based communication makes CryptoBandits a particularly stealthy and dangerous threat for crypto holders.

Propagation via USB Drives

A key feature of CryptoBandits is its propagation method. Once a system is compromised, the worm scans for connected USB drives. It then replaces legitimate document files on the USB drive with identical-looking .lnk shortcut files that point to the malware. When the user or another individual inserts the USB drive into a different Windows computer and double-clicks what appears to be a normal document, the shortcut executes the malware, continuing the infection chain. This method bypasses traditional security measures that allow .lnk files to run automatically, especially when AutoRun is enabled.

This propagation technique is reminiscent of classic USB worms like Stuxnet, but with a modern twist targeting cryptocurrency users. The malware does not need an internet connection to spread; physical transfer of USB drives is sufficient. Given the widespread use of USB drives in corporate environments, crypto exchanges, and personal use, the potential for rapid dissemination is high.

Impact on Cryptocurrency Users

Victims of CryptoBandits can lose funds in two primary ways. First, during a transaction, the clipboard hijack swaps the recipient address, sending coins to the attacker. Since blockchains are irreversible, such losses are permanent. Second, if the malware captures seed phrases or private keys, attackers can later access the entire wallet and withdraw all funds. The stealthy nature of clipboard monitoring means users may not realize their data has been compromised until it is too late.

Microsoft has not disclosed the total number of infections or the value of stolen cryptocurrency, but the continuous activity since February suggests a successful campaign. The malware’s reliance on USB drives makes it a threat to both individuals and organizations that handle crypto assets, including trading desks, wallets, and mining operations.

Microsoft’s Recommendations and Mitigations

In response to the threat, Microsoft has issued specific guidance to Windows users. The key recommendations include:

  • Disable AutoRun: Turn off AutoRun feature for removable drives to prevent automatic execution of malicious code.
  • Block .lnk execution on USB media: Use Group Policy or security software to prevent shortcut files from running on USB drives.
  • Restrict script hosts: Disable Windows Script Host if not needed, or restrict its usage to signed scripts.
  • Check networks against published indicators of compromise (IOCs): Monitor internal network traffic for connections to known Tor exit nodes or malicious domains associated with CryptoBandits.

Additionally, Microsoft recommends using up-to-date antivirus and endpoint detection and response (EDR) solutions that can identify and block this specific threat. Users should also be cautious when inserting unknown USB drives and avoid opening shortcut files from untrusted sources.

Broader Context: Crypto Clipper Malware and USB Threats

Crypto clipper malware is not new. For years, cybercriminals have used clipboard hijackers to redirect cryptocurrency transactions. However, most earlier variants spread via phishing emails or malicious downloads. The use of USB drives as a vector marks a return to older, more physical methods of malware propagation. This approach exploits the trust users place in removable media and the common practice of sharing files via USB sticks.

The decision to add Tor exfiltration indicates a higher level of operational security by the attackers. By routing stolen data through the Tor network, the malware complicates forensic analysis and takedown efforts. This technique is increasingly seen in sophisticated banking Trojans and ransomware, now adapted for crypto theft.

From a historical perspective, USB-based worms have been used in high-profile attacks, including the 2010 Stuxnet attack on Iranian nuclear facilities. While CryptoBandits is far less sophisticated, its targeting of financial assets makes it equally dangerous for individuals and small businesses. The malware’s ability to evade detection by mimicking legitimate file operations is particularly concerning.

Defense Strategies for Users and Organizations

Beyond Microsoft’s specific recommendations, users should adopt a holistic security approach when dealing with cryptocurrency. This includes using hardware wallets for large holdings, verifying recipient addresses multiple times before confirming transactions, and maintaining air-gapped computers for signing transactions whenever possible. For organizations, implementing USB device control policies that only allow authorized and encrypted drives can reduce the risk of infection.

Regular security awareness training should include modules on spotting malicious shortcut files and understanding the risks of USB usage. Employees should be taught to never execute files directly from a USB drive, but instead to copy them to a sandboxed environment first. Additionally, network segmentation can limit the spread of malware if a single machine becomes compromised.

Antivirus vendors have incorporated detection signatures for CryptoBandits, but as with all malware, updates are essential. Users should ensure their security software is configured to receive real-time updates and perform regular scans of both system drives and removable media. Microsoft Defender for Endpoint users can leverage the published IOCs to proactively hunt for signs of infection across their network.

The Growing Threat Landscape for Cryptocurrency

The emergence of CryptoBandits underscores a broader trend: cybercriminals are increasingly focusing on digital assets. As cryptocurrency adoption grows, so does the variety and sophistication of threats targeting holders. From exchange hacks and phishing scams to clipboard malware and seed-phrase stealers, the attack surface is expanding. The use of USB drives as a vector indicates that attackers are exploring all avenues, including offline physical access.

In response, security researchers and platform developers are working on countermeasures, such as blockchain-based transaction verification, multi-factor authentication, and improved clipboard protection in operating systems. However, until these solutions become widespread, individual vigilance and adherence to security fundamentals remain the best defense. The discovery of CryptoBandits serves as a reminder that even simple, well-known attack methods can be repurposed for new, lucrative targets.

Windows users who suspect they may have been infected should immediately disconnect from the internet, run a full antivirus scan, and change passwords for all cryptocurrency accounts using a clean device. They should also consider moving funds to new wallets that were generated offline. Microsoft has provided a detailed technical analysis and a list of IOCs on its security blog, which system administrators can use for forensic investigation.

As the situation continues to evolve, staying informed about emerging threats and applying recommended patches and security configurations is crucial. The crypto community must remain proactive in safeguarding assets against this and future malware incarnations.


Source: Coindesk News


Share:

Related posts
Your experience on this site will be improved by allowing cookies Cookie Policy

These cookies are essential for the website to function properly.

These cookies help us understand how visitors interact with the website.

These cookies are used to deliver personalized advertisements.