Microsoft Warns of New Crypto Malware That Can Steal Wallet Funds Through USB and Tor
Microsoft Crypto Clipper Warning: How a Simple USB Drive Could Put Your Crypto Wallet at Risk
The rise of cryptocurrency adoption has created new opportunities not only for investors and blockchain innovators but also for cybercriminals seeking to exploit digital asset holders. In a newly published threat intelligence report, Microsoft has revealed details of an ongoing malware campaign specifically designed to target cryptocurrency users through an attack method many people rarely consider dangerous: USB drives.
According to findings released by Microsoft's security researchers on June 17, 2026, a malware strain identified as Trojan:Win32/CryptoBandits.A has been actively targeting users since February 2026. The malware operates as a sophisticated crypto clipper, capable of stealing wallet addresses, seed phrases, private keys, and other sensitive information while routing stolen data through the Tor anonymity network.
 |
| Source: X(formerly Twitter) |
For cryptocurrency investors, traders, and long-term holders, the warning serves as a reminder that digital asset security extends far beyond passwords and two-factor authentication.
Microsoft Uncovers a Sophisticated USB-Based Malware Campaign
Unlike many cyberattacks that rely on social engineering through email or malicious downloads, the newly identified crypto clipper spreads through infected USB storage devices.
Security researchers noted that the attack begins when a user inserts an infected USB drive into a Windows computer. The malware utilizes malicious shortcut files, commonly known as .lnk files, to disguise itself as ordinary documents.
The attack process is designed to appear completely legitimate.
When activated, the malicious shortcut scans the USB drive for commonly used file formats, including Word documents, spreadsheets, PDFs, and presentations. The malware then hides the original files and replaces them with lookalike shortcuts carrying identical names and icons.
To the victim, nothing appears suspicious.
When users click what they believe is their own document, they unknowingly execute malicious code instead.
Because the original files remain accessible, many victims never realize that the malware was launched in the background.
Cybersecurity analysts describe this technique as particularly dangerous because it exploits normal user behavior rather than relying on obvious deception.
How the Crypto Clipper Expands Its Reach
Once the malware gains access to a system, it behaves similarly to a worm.
The malicious program automatically copies itself onto any additional USB drive connected to the infected computer. This enables the malware to spread between devices without requiring internet connectivity during the initial propagation stage.
As a result, a single infected storage device can potentially compromise multiple computers within homes, offices, educational institutions, and shared workspaces.
Microsoft researchers highlighted several advanced techniques used by the malware to avoid detection.
One notable feature involves anti-analysis capabilities. The malware actively checks whether Windows Task Manager is running and immediately terminates itself if it detects monitoring activity.
Although simple, this technique remains effective against casual investigation by users attempting to identify suspicious processes.
The malware also deploys a modified portable Tor client operating under the file name ugate.exe. This component launches silently in the background and establishes anonymous communications with attacker-controlled infrastructure.
By routing all traffic through Tor's hidden service architecture, attackers eliminate the need for traditional command-and-control servers with visible IP addresses.
This significantly complicates efforts by security teams to identify and disrupt the campaign.
Microsoft researchers stated that communications occur through a local SOCKS5 proxy on port 9050, a behavior that may serve as an important detection indicator for defenders.
Crypto Wallets Are the Primary Target
The malware's ultimate objective is straightforward: steal cryptocurrency.
Once active, the crypto clipper continuously monitors clipboard activity, checking copied content approximately every 500 milliseconds.
This near-real-time surveillance allows attackers to capture sensitive information moments after it is copied by a user.
The malware focuses on three high-value targets.
Seed Phrase Theft
The first target is wallet recovery phrases.
Most cryptocurrency wallets generate 12-word or 24-word seed phrases based on the widely used BIP39 standard. These phrases function as master recovery keys, allowing complete restoration of wallet access.
If attackers obtain a valid seed phrase, they can effectively gain control of all assets associated with that wallet.
Microsoft's analysis indicates that the malware automatically identifies seed phrases copied to the clipboard, stores them locally, and transmits them through the Tor network to attacker-controlled servers.
Only after confirming successful transmission does the malware remove local traces of the stolen information.
Private Key Extraction
The second target involves cryptocurrency private keys.
Researchers found that the malware scans for Ethereum private keys as well as Bitcoin Wallet Import Format (WIF) keys.
Before exfiltrating the information, the malware performs validation checks to reduce false positives and ensure the stolen data is usable.
Private key theft remains one of the most devastating forms of cryptocurrency compromise because it provides direct access to wallet funds without requiring additional authentication.
Wallet Address Replacement
The third and perhaps most dangerous function is clipboard manipulation.
This technique is what gives crypto clipper malware its name.
Whenever a victim copies a cryptocurrency wallet address to send funds, the malware silently replaces the original address with one controlled by attackers.
The substitution often goes unnoticed because the malicious address is designed to closely resemble the legitimate one.
Researchers observed support for multiple blockchain networks, including Bitcoin, Tron, and Monero.
In many cases, only a few characters differ between the legitimate and malicious addresses, making visual detection extremely difficult.
If a user fails to verify the destination address before confirming a transaction, funds can be permanently redirected to attackers.
Additional Surveillance Capabilities Raise Concerns
Microsoft's investigation revealed that the malware is capable of more than cryptocurrency theft alone.
The program periodically captures screenshots of the victim's desktop, collecting multiple images at timed intervals before transmitting them through the Tor network.
This functionality provides attackers with additional context regarding wallet balances, trading platforms, financial activity, and user behavior.
Researchers believe this capability allows attackers to prioritize high-value victims and customize future attacks.
Perhaps more concerning is the malware's ability to execute arbitrary commands.
According to Microsoft's technical analysis, the malware can receive instructions from its command infrastructure through a function labeled "EVAL."
When activated, this feature allows attackers to execute remote code directly on the compromised system.
In practical terms, this transforms the malware from a simple information-stealing tool into a lightweight remote access backdoor.
The implications extend beyond cryptocurrency theft and could potentially include credential harvesting, espionage, or broader system compromise.
What Microsoft Recommends for Protection
Microsoft's security teams emphasize that behavioral monitoring is essential when defending against this threat.
Because the malware uses obfuscation techniques and frequently changes its appearance, traditional signature-based detection alone may not be sufficient.
The company recommends several protective measures for organizations and individual users alike.
One of the most important steps is disabling AutoRun and AutoPlay functionality for removable media devices. Doing so significantly reduces the risk of accidental execution from infected USB drives.
Microsoft also advises organizations to block .lnk file execution from removable devices through Group Policy whenever possible.
Additional recommendations include restricting unnecessary use of scripting engines such as wscript.exe and cscript.exe, both of which can be leveraged during malware execution.
Security teams should also monitor systems for suspicious SOCKS5 proxy activity on localhost port 9050, which may indicate Tor-based communications.
Finally, organizations are encouraged to look for indicators of clipboard monitoring and unauthorized wallet address modifications, especially on systems involved in cryptocurrency transactions.
Practical Security Tips for Crypto Users
For everyday cryptocurrency holders, the lessons from this campaign are clear.
Never connect unknown USB devices to systems containing wallet software or sensitive financial information.
Users should also verify every cryptocurrency address manually before approving transactions, regardless of how familiar the destination may appear.
Even a quick review of the first and last several characters can help identify address substitution attacks.
Security experts additionally recommend using hardware wallets whenever possible, as these devices provide independent transaction verification screens that cannot be manipulated by clipboard malware.
Maintaining updated antivirus protection, regularly scanning removable media, and avoiding unnecessary file transfers between unknown systems can further reduce risk.
Conclusion
Microsoft's latest warning highlights a growing reality in the cryptocurrency sector: cybercriminals are becoming increasingly sophisticated in their efforts to steal digital assets.
The CryptoBandits campaign demonstrates how attackers can combine USB-based propagation, Tor-enabled anonymity, clipboard hijacking, seed phrase theft, and remote command execution into a single highly effective operation.
What makes this threat particularly concerning is its ability to exploit everyday habits rather than relying on obvious scams.
A simple USB drive, inserted without a second thought, can become the entry point for a complete cryptocurrency wallet compromise.
As cryptocurrency adoption continues expanding worldwide, maintaining strong security practices is no longer optional. Verifying wallet addresses, disabling risky system features, and exercising caution with removable devices may ultimately be the difference between protecting digital assets and losing them permanently.
hoka.news – Not Just Crypto News. It’s Crypto Culture.
Writer: Barland Vex Crypto Market Analyst & Onchain Storyteller
Barland Vex is a veteran crypto writer who treats the chaos of digital markets as his playground. With a sharp instinct for reading Bitcoin's movements, DeFi waves, and the narratives that move millions of dollars in a matter of hours, Vex delivers analysis that's always one step ahead of the market itself.
From deep onchain reports to bold trend predictions, every piece is crafted to give readers one thing: an edge. Followed by traders, builders, and investors who refuse to miss a beat, Barland Vex is the name the market turns to when things start moving wild.
Crypto Market Analyst & Onchain Storyteller
Barland Vex is a veteran crypto writer who treats the chaos of digital markets as his playground. With a sharp instinct for reading Bitcoin's movements, DeFi waves, and the narratives that move millions of dollars in a matter of hours, Vex delivers analysis that's always one step ahead of the market itself.