Microsoft: USB Malware Swaps Crypto Wallet Addresses, Steals Keys

Microsoft identified a crypto clipper trojan that spreads through infected USB drives and captures private keys by monitoring the Windows clipboard every 500 milliseconds. The malware, classified as Trojan:Win32/CryptoBandits, swaps wallet addresses during copy-paste operations, redirecting funds to attacker-controlled wallets.

The USB delivery method changes the risk profile compared to phishing or malicious downloads. A compromised drive can infect air-gapped machines used for cold storage management. The malware runs locally once the drive is inserted and does not require internet access to activate.

The clipboard swap occurs after the user copies an address and before they paste it. The trojan checks the clipboard every half-second. A quick check of the first and last characters of the destination address can catch the substitution.

For traders managing wallets on machines that also handle exchange logins, the USB vector introduces a new exposure. The malware can capture seed phrases typed anywhere on the system, not just in wallet software. Microsoft's security team published detection signatures for the trojan. Users should run updated antivirus scans on any machine that has been connected to an untrusted USB drive.

The physical access vector means attackers target locations where crypto users gather – conferences, co-working spaces. The malware design suggests the goal is high-value users who manage their own keys. Microsoft's report does not estimate how many wallets have been compromised.

Typing addresses manually or using a hardware wallet that displays the address on its own screen defeats the clipboard hijack. This is not a blockchain vulnerability but an operational risk. The weakest link in crypto security often sits between the user and the interface.

Related: Crypto Clipper wallet malware swaps addresses, steals seed phrases