TLDR
- Microsoft has identified malware called “crypto clipper” spreading through infected USB drives since February 2026
- The malware, identified as Trojan:Win32/CryptoBandits, monitors the Windows clipboard every 500 milliseconds
- It steals crypto wallet seed phrases and private keys, sending them to attackers via the Tor network
- When a user copies a recipient wallet address, the malware silently swaps it for an attacker-controlled address
- Microsoft recommends disabling AutoRun for removable media and blocking .lnk file execution on USB drives
Microsoft has discovered malware that spreads through USB drives and targets cryptocurrency wallets on Windows computers. The malware has been active since February 2026.
Microsoft Warns of Tor-Based Crypto Clipper Targeting Wallet Data
Microsoft Threat Intelligence and Microsoft Defender Experts said they identified a Windows-based crypto clipper that has affected users since February 2026. The malware spreads via malicious .lnk shortcuts and… pic.twitter.com/tDZ6CNg322
— Wu Blockchain (@WuBlockchain) June 19, 2026
The company calls it a “crypto clipper” and its Defender Antivirus labels it Trojan:Win32/CryptoBandits. Microsoft detailed the threat in a blog post this week.
The attack begins when a user plugs in an infected USB drive. The drive contains a malicious shortcut file, which ends in “.lnk.” When clicked, it installs a worm onto the computer.
Once installed, the worm runs two tasks at once. It starts stealing crypto wallet data and waits for a new, clean USB drive to be plugged in so it can spread further.
How the Clipboard Attack Works
The malware watches the Windows clipboard roughly every 500 milliseconds. The clipboard is the temporary memory used when you copy and paste something.
If a user copies a crypto wallet seed phrase or a private key for a Bitcoin or Ethereum wallet, the malware captures it immediately. It then sends that data to the attacker’s server through the Tor network, which hides the destination.
The malware also takes five screenshots, each ten seconds apart, and sends those to the attacker as well.
The danger does not stop at theft of private keys. If a user copies a wallet address to send funds, the worm quietly swaps it with an address controlled by the attacker. The user then pastes what looks like the right address but sends their funds to the attacker instead.
How It Spreads and What to Do
When a clean USB drive is plugged into an infected computer, the worm acts fast. It scans the drive for regular files like Word documents, Excel sheets, and PDFs. It replaces those files with shortcut files that carry the same names. The infected drive then passes the malware on to the next computer it touches.
Microsoft has recommended several steps to protect against the threat. Users should disable AutoRun for removable media and block .lnk file execution on USB drives through group policy.
Restricting script hosts like wscript.exe and cscript.exe is also advised. Microsoft Defender users can run hunting queries to look for related activity, including connections to a local Tor proxy on port 9050.
Microsoft also published a list of indicators of compromise. These include file hashes and .onion domains used as command-and-control servers, allowing security teams to check their networks.
The malware was also flagged by crypto exchange Binance, which shared the Microsoft warning with its users. Security firm NS3.AI confirmed users have been affected since February 2026.
🚨 Our JUNE Stock Picks Are Live!
A new month means new opportunities. Our analysts have just released their top stock picks for June, highlighting companies with strong momentum that rank highly on our KO Score algorithm. We’re also now sharing trade ideas for both long-term and short-term investors, giving you more ways to spot potential opportunities in the market.
Sign up to Knockout Stocks today and get 50% off to unlock the full list and see which stocks made the cut.
Use coupon code Special50 for your exclusive discount!
Get 3 Free Stock Ebooks
Discover top-performing stocks in AI, Crypto, and Technology with expert analysis.
- Top 10 AI Stocks - Leading AI companies
- Top 10 Crypto Stocks - Blockchain leaders
- Top 10 Tech Stocks - Tech giants
