Microsoft's Defender team flags clipper malware spreading via USB drives that swaps wallet addresses and steals BIP39 seed phrases. Here's how to protect crypto funds.
Microsoft's Defender security team has flagged a malware strain that spreads through USB drives and targets cryptocurrency users by hijacking wallet addresses and stealing seed phrases.
The malware infects a Windows machine when a user clicks a shortcut (.lnk) file on a contaminated USB drive. Once inside, it copies itself to every USB drive plugged into the computer afterward. It communicates over Tor to hide its traffic and takes steps to prevent antivirus tools from deleting its components.
Running continuously on the device, the malware scans the clipboard every 500 milliseconds for addresses linked to bitcoin and tron. When it detects one, it assumes the user is about to send funds and swaps the address for one controlled by the attackers. The transaction then goes to the wrong wallet.
Beyond address hijacking, the malware monitors memory for BIP39 seed phrases of 12 or 24 words. Microsoft's warning notes that USB drop attacks become more dangerous with this variant because it targets high-value crypto assets without requiring the user to open a malicious document or email. The malware also captures five screenshots of the wallet contents, giving attackers enough information to drain any wallet whose seed or addresses have been exposed on the machine.
The attack vector is physical. An infected USB drive can be introduced to a machine without the user clicking a link or visiting a malicious website. The malware exploits Windows default behavior: autorun for removable media and execution of .lnk files. Many users have not disabled those features.
For crypto users, the risk is highest for those who run wallet software on a general-purpose computer, especially if they regularly plug in USB drives for backups or transfers. Hardware wallet users who copy addresses from companion apps are also exposed if the clipboard is compromised. Even a brief moment between copying an address and pasting it into a transaction window can be enough for the malware to swap the destination.
The Microsoft Defender team described the malware as "lightweight, script-based stealers" that can deliver outsized impact when paired with anonymized communications and runtime tasking. The use of Tor and anti-detection techniques makes it harder to stop than simpler clipboard scrapers.
Microsoft's recommended steps: disable autorun for all removable media and block execution of shortcuts from USB drives. Those two changes cut off the main infection path. Users should also avoid plugging unknown USB drives into any machine that holds wallet software or seed phrases.
For anyone managing wallets, the only safe USB drive is one that never touches an untrusted machine.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.