Microsoft identifies malware 'worm' that hijacks crypto wallets, spreads through USB drives

Microsoft identifies malware 'worm' that hijacks crypto wallets, spreads through USB drives

Tech

Microsoft found malware that hijacks crypto wallets and spreads through USB sticks

The software intercepts shortcut files and directs them to install a worm that harvests private keys from the Windows clipboard and inserts its own destination wallet addresses when it detects a transfer.

By

Omkar Godbole

|

Edited by

Sheldon Reback

Jun 19, 2026, 8:48 a.m.

2

min read

Make

preferred on

Share

Share this article

Copy link

X icon

X (Twitter)

LinkedIn

Facebook

Email

Make

preferred on

A worm that's been around since February propagates by USB drives. (Brina Blum/Unsplash)

Summary

Show

The malware dubbed a “crypto clipper,” has been spreading via infected USB drives to target Windows users’ crypto wallets since February, according to Microsoft.

Once installed through a malicious .lnk shortcut file, the worm known as Trojan:Win32/CryptoBandits monitors the clipboard for seed phrases, private keys and recipient addresses, exfiltrates data over the Tor network, and can silently swap in attacker-controlled wallet addresses.

The malware propagates by replacing documents on clean USB drives with identically named shortcuts

Microsoft urged users to disable AutoRun, block .lnk execution on USB media, restrict script hosts and check networks against published indicators of compromise.

Malware that spreads via USB sticks has been infecting Windows personal computers and targeting crypto wallets since February,

Microsoft said

in a blog post.

The firm calls the malware a "crypto clipper", and its Defender Antivirus identifies it as Trojan:Win32/CryptoBandits.

The process starts with an infected USB drive containing a malicious shortcut, or link, file. In Windows, shortcut filenames end in ".lnk" and direct the operating system to open a specific program, folder or file stored elsewhere on your computer.

When a user plugs in that drive and clicks the shortcut, a type of malware known as a "worm" is installed onto the PC. Once installed, it does two things: it constantly runs the actual crypto wallet-stealing code and simultaneously waits for a new, clean USB to be plugged into that same PC.

The wallet-stealing component monitors Windows’ clipboard, the hidden temporary memory used for copy-and-paste operations, roughly every 500 milliseconds. When a user copies a crypto wallet seed phrase or a private key for a Bitcoin or Ethereum wallet, the malware captures that data and sends it to the attacker’s server over the Tor network, an open-source overlay that provides anonymous communication. It also takes five screenshots, ten seconds apart, and sends those along too.

The risk doesn't end there.

If a user copies a recipient address to send funds, the worm silently replaces it with an attacker-controlled address before the user pastes, so the transfer goes to the attacker without any visible cue.

Lastly, the worm propagates when a clean USB drive is plugged into the computer. It scans the clean USB drive for ordinary files, Word docs, Excel sheets and PDFs, replaces them with new shortcut files using the same names and infects the drive. Then the cycle continues.

Microsoft recommends disabling AutoRun for removable media, blocking .lnk file execution on USB drives via group policy and restricting script hosts such as wscript.exe and cscript.exe. Microsoft Defender customers can also run hunting queries to check for related activity, including connections to a local Tor proxy on port 9050.

Microsoft published a list of indicators of compromise, including file hashes and .onion domains used as command-and-control servers, for security teams to check their networks against.

Hack

Crime

Latest Crypto News

1

Asset management giant Invesco files for tokenized fund targeting stablecoin reserve market

8 hours ago

2

Coinbase's Base blockchain resumes after two-hour outage disrupted network

10 hours ago

3

Strategy's yield-generating STRC stock is more correlated with BTC than ever

11 hours ago

4

Kraken in talks to buy 15% stake in DeFi lender Aave at $385 million valuation

12 hours ago

5

a16z-backed crypto firm rebrands, shifts focus to solving AI’s global copyright headache

12 hours ago

6

BlackBerry is making a massive comeback as an 'uncrashable' software layer for AI and robotics

13 hours ago

7

Strategy has a 10-month cash runway for dividends, but retail investors are losing faith

13 hours ago

8

Quant fund says bitcoin is near a major inflection point as rare onchain signals align

14 hours ago

9

Bitcoin tumbles to new multi-year low of $58,000, but a short-squeeze setup emerges

14 hours ago

10

Crypto for Advisors: Bitcoin: planning for inheritance

14 hours ago

Latest Research

CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High

CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High

In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.

By

CoinDesk Research

Jun 15, 2026

In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.

Why it matters

:

In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.

View Full Report

More From

Tech

Live markets: Bitcoin rebounds to nearly $60,000. Kospi, Nikkei sink

Coinbase's Base blockchain resumes after two-hour outage disrupted network

Live markets: Bitcoin settles in under $60,000

CD20

$1,600.67

CD20 down 3.49 percent

3.49%

BTC

$59,858.70

BTC down 2.70 percent

2.70%

ETH

$1,551.91

ETH down 5.58 percent

5.58%

XRP

$1.03

XRP down 5.06 percent

5.06%

SOL

$68.14

SOL down 1.17 percent

1.17%