Microsoft Warns Crypto Clipper Malware Is Spreading Through USB Drives

Microsoft has warned that a Windows-based crypto clipper campaign has been active since February, using infected USB drives, malicious shortcut files and Tor-based command traffic to steal wallet data and replace copied crypto addresses.

The Microsoft Security research describes a campaign that combines clipboard theft, wallet-address substitution, seed-phrase collection, screenshot capture and remote code execution. Microsoft Defender Antivirus detects the threat as CryptoBandits, with components tracked across Windows and JavaScript payloads.

The malware targets one of the most common crypto transfer habits: copying and pasting wallet addresses. Once active on a Windows device, it watches the clipboard roughly every 500 milliseconds. If a user copies a crypto address, the malware can replace it with an attacker-controlled address before the user pastes it into a wallet or exchange withdrawal form.

USB Shortcuts Turn The Malware Into A Worm

The campaign spreads through malicious .lnk shortcut files found on USB storage devices. When a user opens what looks like a normal file shortcut, the payload stages a worm component and a separate clipper-stealer component.

Microsoft said the worm scans removable media for common documents such as PDFs, spreadsheets and Word files, hides the originals, then creates malicious shortcuts using the same filenames. That keeps the infection chain moving because the next user may think they are opening an ordinary document while actually launching the worm.

The malware also creates scheduled tasks for persistence and uses script-based execution through Windows Script Host and ActiveX. That makes the campaign more flexible than a simple one-file stealer, especially when it can keep running after reboot and continue monitoring clipboard activity.

Seed Phrases And Tor Raise The Risk

The clipper does not only swap recipient addresses. Microsoft said the malware checks clipboard data for wallet patterns, seed phrases and private keys, including 12-word and 24-word BIP39 phrases. It can save stolen material locally, exfiltrate it through Tor and upload screenshots for additional visibility into the victim’s device.

The Tor setup is central to the campaign. The malware launches a renamed portable Tor binary, routes traffic through a local SOCKS5 proxy on localhost:9050 and communicates with hidden-service command servers. That reduces the visibility defenders normally get from exposed IP infrastructure or ordinary DNS traffic.

This makes the campaign more serious than a basic clipboard hijacker. Wallet-address replacement can steal one outgoing transaction, but seed-phrase theft can drain every wallet restored from the same recovery phrase. A recent case involving a Ledger user losing about $1 million after entering a seed phrase into a fake support site showed how quickly recovery-phrase compromise can turn into a total wallet loss.

Crypto Malware Keeps Moving Closer To The Endpoint

Microsoft’s warning fits a wider shift in crypto theft. Attackers are not always trying to break blockchains or exploit smart contracts. Many campaigns now target the endpoint: the laptop, USB drive, browser profile, developer workstation or clipboard sitting between the user and the transaction.

That same endpoint pressure showed up in the TrapDoor malware campaign targeting crypto and AI developers, where malicious packages were built to steal wallet data, GitHub tokens, SSH keys, API keys and local configuration files from development environments.

The strongest defense is not only checking the first and last characters of a wallet address. Users handling crypto transfers should verify the full destination address on a trusted screen, avoid unknown USB drives, disable AutoRun or AutoPlay on removable media, keep endpoint protection active and treat any clipboard change as a sign of device compromise.