Microsoft Found Malware That Hijacks Crypto Transfers Through USB Sticks. Here Is How It Works.

Microsoft Threat Intelligence disclosed on June 17 that it has been tracking a Windows malware campaign since February 2026 that spreads through infected USB drives and silently hijacks cryptocurrency transfers. 

The malware, which Microsoft Defender Antivirus detects as Trojan:Win32/CryptoBandits, monitors a victim's clipboard roughly every 500 milliseconds and replaces copied wallet addresses with attacker-controlled ones before the user pastes them. The transaction completes normally on the victim's screen. The funds go somewhere else entirely.

The infection method is old, but the execution is unusually sophisticated for what is normally a simple class of malware.

The attack starts when a clean USB drive is plugged into an already infected machine. The worm scans the drive for common files including Word documents, Excel sheets, and PDFs, then hides the originals and replaces them with malicious shortcut files using identical names and icons. 

When that USB drive is later plugged into a different computer and the victim clicks what looks like their own document, Windows Explorer processes the malicious .lnk file automatically and the payload executes in seconds. No download, no phishing email, no suspicious link. Just a USB stick that looks completely normal.

Once active on a new machine, the malware runs two processes simultaneously. It begins monitoring the clipboard for valuable data, and it waits for the next clean USB drive to repeat the propagation cycle.

CryptoBandits targets three specific categories of clipboard data, and understanding each one matters for assessing your own exposure:

• Seed phrases and private keys. If you copy a wallet seed phrase or private key for any reason, even briefly, the malware captures it and exfiltrates it to the attacker's server over the Tor network.

• Screenshots. The malware takes five screenshots ten seconds apart whenever it detects relevant clipboard activity, capturing visual context an attacker can use to confirm what was stolen.

• Recipient wallet addresses. This is the most dangerous capability. When you copy a destination address to send funds, the malware silently swaps it for an attacker-controlled address before you paste it. You see your own address. You confirm the transaction. The money goes to the attacker.

Microsoft's analysis found the malware uses Windows Script Host and ActiveX-driven logic to launch a bundled Tor proxy and communicate with a hidden-service command and control server.

It also sets up scheduled tasks for persistence, meaning it survives a restart and continues monitoring indefinitely. If the attacker's server returns specific commands, the malware can execute additional code at runtime, giving it capabilities beyond a typical wallet-stealing tool.

From the incidents we have analysed across this security beat, standard clipboard-hijacking malware has existed for years and is relatively easy to detect because it typically requires consistent internet connectivity to a fixed server. CryptoBandits routes all communication through Tor, which anonymizes the command and control infrastructure and makes network-based detection significantly harder.

The worm-like USB propagation is also a meaningful escalation. Most modern malware spreads through phishing emails, malicious ads, or compromised downloads. Physical propagation through removable media bypasses email filters, browser security warnings, and most endpoint detection tools that are tuned for network-based threats. Security firm NS3.AI confirmed users have been affected since February, and Binance shared Microsoft's warning directly with its own user base after the disclosure.

Microsoft's recommended mitigations are specific and worth implementing immediately regardless of whether you have noticed anything unusual:

• Disable AutoRun and AutoPlay for all removable media on every Windows machine you use for trading

• Block .lnk file execution from USB drives at the system policy level if your operating system allows it

• Never copy and paste a wallet address without visually verifying the first and last several characters match what you expect, every single time

• Avoid copying seed phrases or private keys to the clipboard at all. Type them directly or use a hardware wallet that never exposes the key to the operating system

• Check your systems against the indicators of compromise Microsoft published in its security blog if you have used unfamiliar USB drives on a trading machine since February

The address verification habit is the single most important defense here. The malware's entire model depends on the victim trusting that what was copied is what gets pasted. A trader who manually checks the first four and last four characters of any destination address before confirming a transfer defeats this specific attack regardless of whether the malware is present on their system.

Funded traders spend significant time thinking about drawdown limits, position sizing, and market risk. The CryptoBandits campaign is a reminder that the computer executing your trades is part of your risk surface too.

A clipboard hijack does not care how disciplined your trading strategy is. It does not respect your stop loss or your daily loss limit. It simply waits for a transfer and redirects it. From what we have observed across the security incidents we have tracked this year, the traders who avoid this category of loss entirely are not the most technically sophisticated ones. 

They are the ones who treat basic verification as a non-negotiable habit, the same way they treat risk management on every trade. Verify every address. Question every unfamiliar USB drive. The cost of checking is seconds. The cost of not checking has no upper limit.