Crypto Clipper wallet malware swaps addresses, steals seed phrases

Microsoft has identified a cryptocurrency-targeting malware campaign that steals seed phrases, substitutes wallet addresses, and maintains persistent remote access through the Tor network.

The malware, which Microsoft dubs "Crypto Clipper," has been active since at least February 2026, the company's security researchers said in a threat report published this week. Microsoft Defender detects it as Trojan/CryptoBandits.A and related variants.

Crypto Clipper works by continuously monitoring a victim's clipboard for cryptocurrency data: 12‑word and 24‑word seed phrases, private keys, and wallet credentials. Once captured, the information is exfiltrated via Tor‑based command‑and‑control infrastructure. The malware also takes screenshots to give attackers a view of wallet balances and active accounts.

Beyond theft, the malware replaces copied wallet addresses with attacker‑controlled alternatives. Microsoft said it checks addresses against several blockchains including Bitcoin and Monero, then substitutes lookalike strings that reduce the chance a user notices before hitting send.

Propagation relies on USB storage. Researchers found that Crypto Clipper hides legitimate documents behind malicious Windows shortcut (.lnk) files. A user who opens what appears to be a normal file instead triggers background execution that installs additional payloads and a portable Tor client. That Tor client routes all subsequent attacker communications through hidden services and can receive commands allowing arbitrary code execution.

Microsoft warned that the combination of clipboard theft, address substitution, screenshot collection, and remote tasking gives attackers both immediate theft opportunities and ongoing control over infected devices. The report advised users to avoid running unknown .lnk files and to keep antivirus software updated.