Blab Crypto
Microsoft Identifies New Crypto-Clipper Malware That Hijacks Wallets via USB Drives
On June 17, 2026, Microsoft’s threat‑intelligence team released a detailed report exposing a new Windows‑based malware campaign dubbed Crypto Clipper, known in Defender as Trojan: Win32/CryptoBandits.A. The strain has been active since at least February 2026 and is engineered to steal cryptocurrency credentials, alter wallet addresses, and keep a remote command‑and‑control foothold over infected machines through the Tor network.
At its core, Crypto Clipper is a clipboard hijacker. The program persistently watches the Windows clipboard for high‑value data. When a user copies a 12‑ or 24‑word seed phrase, an Ethereum private key, or a Bitcoin wallet credential, the malware captures the text and forwards it to a C2 server that operates via Tor hidden services. The same mechanism is used to detect and replace copied cryptocurrency addresses. The replacement feature targets Bitcoin, Tron, and Monero addresses, swapping them for look‑alike addresses that the attackers control, thereby diverting outgoing transactions without the user’s knowledge.
In addition to clipboard theft, the malware takes screenshots of the victim’s desktop. These images give attackers visual context about wallet balances and transaction histories. Microsoft’s analysis shows that the screenshots are also transmitted through the Tor‑based C2 channel.
A notable element of the campaign is its propagation method. Crypto Clipper spreads through malicious Windows shortcut (.lnk) files that are hidden on USB storage devices. When a user opens what appears to be a normal document, the shortcut executes in the background and installs the Crypto Clipper payload. The malicious files replace legitimate documents with shortcuts that carry the same names, making detection difficult for casual users.
Once installed, Crypto Clipper deploys a portable Tor client and routes all communications through hidden services. The program can receive arbitrary commands from the attackers, enabling remote code execution on the compromised system. Microsoft’s report notes that the combination of Tor‑based persistence, clipboard theft, screenshot exfiltration, and address substitution gives attackers both immediate monetization opportunities and long‑term control.
Microsoft Defender automatically flags the malware as Trojan: Win32/CryptoBandits.A and related variants. The company recommends that users disconnect any suspicious USB drives, run a full system scan with the latest Defender definitions, and review protection history for any indications of CryptoBandits activity.
The discovery of Crypto Clipper underscores the growing sophistication of crypto‑targeted malware. By blending stealthy propagation with powerful exfiltration and remote‑control capabilities, the campaign poses a serious risk to individual wallet holders and potentially to institutional custodians that rely on Windows environments.
Security analysts advise users to be cautious when copying wallet information, to verify that copied addresses match the intended destination, and to keep software and security tools up to date. Microsoft’s threat‑intelligence team continues to monitor the campaign and will update detection signatures as the malware evolves.
In summary, Microsoft has identified a Windows‑based clipper that steals seed phrases, replaces wallet addresses, captures screenshots, and maintains remote access through Tor. The malware spreads via USB‑delivered shortcut files and is detected by Microsoft Defender as Trojan: Win32/CryptoBandits.A. Users are urged to remove infected USB devices, run comprehensive scans, and stay vigilant against clipboard‑based theft.
At its core, Crypto Clipper is a clipboard hijacker. The program persistently watches the Windows clipboard for high‑value data. When a user copies a 12‑ or 24‑word seed phrase, an Ethereum private key, or a Bitcoin wallet credential, the malware captures the text and forwards it to a C2 server that operates via Tor hidden services. The same mechanism is used to detect and replace copied cryptocurrency addresses. The replacement feature targets Bitcoin, Tron, and Monero addresses, swapping them for look‑alike addresses that the attackers control, thereby diverting outgoing transactions without the user’s knowledge.
In addition to clipboard theft, the malware takes screenshots of the victim’s desktop. These images give attackers visual context about wallet balances and transaction histories. Microsoft’s analysis shows that the screenshots are also transmitted through the Tor‑based C2 channel.
A notable element of the campaign is its propagation method. Crypto Clipper spreads through malicious Windows shortcut (.lnk) files that are hidden on USB storage devices. When a user opens what appears to be a normal document, the shortcut executes in the background and installs the Crypto Clipper payload. The malicious files replace legitimate documents with shortcuts that carry the same names, making detection difficult for casual users.
Once installed, Crypto Clipper deploys a portable Tor client and routes all communications through hidden services. The program can receive arbitrary commands from the attackers, enabling remote code execution on the compromised system. Microsoft’s report notes that the combination of Tor‑based persistence, clipboard theft, screenshot exfiltration, and address substitution gives attackers both immediate monetization opportunities and long‑term control.
Microsoft Defender automatically flags the malware as Trojan: Win32/CryptoBandits.A and related variants. The company recommends that users disconnect any suspicious USB drives, run a full system scan with the latest Defender definitions, and review protection history for any indications of CryptoBandits activity.
The discovery of Crypto Clipper underscores the growing sophistication of crypto‑targeted malware. By blending stealthy propagation with powerful exfiltration and remote‑control capabilities, the campaign poses a serious risk to individual wallet holders and potentially to institutional custodians that rely on Windows environments.
Security analysts advise users to be cautious when copying wallet information, to verify that copied addresses match the intended destination, and to keep software and security tools up to date. Microsoft’s threat‑intelligence team continues to monitor the campaign and will update detection signatures as the malware evolves.
In summary, Microsoft has identified a Windows‑based clipper that steals seed phrases, replaces wallet addresses, captures screenshots, and maintains remote access through Tor. The malware spreads via USB‑delivered shortcut files and is detected by Microsoft Defender as Trojan: Win32/CryptoBandits.A. Users are urged to remove infected USB devices, run comprehensive scans, and stay vigilant against clipboard‑based theft.
