Microsoft uncovered a crypto clipper malware spread via USB that hijacks clipboard content to swap wallet addresses. The campaign uses Tor to hide command servers.
In late February, Microsoft's Threat Intelligence team flagged a crypto clipper campaign that spreads through USB drives. The malware, which Microsoft Defender labels Trojan/CryptoBandits.A, hijacks clipboard content to swap wallet addresses during transactions.
The malware arrives as a malicious .lnk shortcut file. When opened, it launches two modules: one that copies itself across the system, and another that monitors the clipboard and steals credentials. It uses a packaged Tor proxy to connect to command-and-control servers running on Tor Hidden Services, avoiding direct IP exposure. Microsoft said the malware does not require an installer or a traditional control server, relying instead on Windows Script Host and ActiveX to run the proxy.
Once inside a system, the clipper constantly scans clipboard content for recovery phrases and private keys. Microsoft's researchers found it targets Bitcoin and Ethereum private keys, along with 12-word recovery phrases. It swaps any copied wallet address with one controlled by the attackers before the user pastes it. The malware also takes screenshots and forwards them over the Tor connection, giving the attackers a view of wallet balances and activity. Remote code execution is possible, letting the attackers push additional instructions. Persistence is maintained through scheduled tasks and encryption of the malicious components.
For crypto holders, the attack vector matters because it bypasses typical online security checks. A user copying an address from an exchange or wallet could see it replaced without any visual warning. Transaction confirmations will not catch the switch unless both sides are verified manually. The USB distribution suggests attackers are targeting physical access points, such as shared office computers or public charging stations.
Microsoft recommended disabling auto-run on USB drives, limiting script interpreters from removable media, and monitoring for localhost:9050 proxy activity. The blog urged users to verify wallet addresses character by character after pasting. The campaign's reliance on Tor and scheduled tasks means removal requires scanning for encrypted components, not just deleting the initial .lnk file. Researchers identified indicators including suspicious JavaScript execution, PowerShell-based screenshot capture, and clipboard monitoring behavior. The broader crypto market continues to see rising adoption, making clipboard attacks a persistent risk for desktop users.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.