The malicious software captures shortcut files, leading to the installation of a worm that steals private keys from the clipboard and substitutes its own wallet addresses during transfers.
By Omkar Godbole|Edited by Sheldon Reback Jun 19, 2026, 8:48 a.m. 2 min readMake preferred on ShareShare this articleCopy linkX (Twitter)LinkedInFacebookEmailMake preferred on A worm that has been circulating since February spreads via USB drives. (Brina Blum/Unsplash)SummaryShow- The malware, referred to as a "crypto clipper," has been infecting Windows users' crypto wallets through compromised USB drives since February, Microsoft reports.
- Once it infiltrates a system via a malicious .lnk shortcut, the worm known as Trojan:Win32/CryptoBandits tracks clipboard contents for seed phrases, private keys, and recipient addresses, sending data through the Tor network while replacing wallet addresses with those controlled by the attacker.
- The malware spreads by overwriting files on clean USB drives with shortcuts that bear the same names.
- Microsoft has advised users to disable AutoRun, prevent .lnk file execution from USB drives, restrict script hosts, and verify networks against known indicators of compromise.
Since February, a malware strain has been targeting Windows PCs and crypto wallets via USB sticks, as detailed in a recent blog post by Microsoft.
This malware, termed a "crypto clipper," is identified by Microsoft Defender Antivirus as Trojan:Win32/CryptoBandits.
The infection begins when a user connects an infected USB drive that contains a harmful shortcut file. In Windows, such shortcuts have the suffix ".lnk" and instruct the system to open a specified program, folder, or file located elsewhere.
Upon inserting the USB drive and activating the shortcut, a worm is installed on the computer. This worm runs the code that steals crypto wallets while also waiting for a new, clean USB drive to be connected to the same computer.
This wallet-stealing feature monitors the Windows clipboard, which temporarily holds copied data, approximately every half-second. When a user copies a crypto wallet seed phrase or a private key, the malware captures this information and transmits it to the attacker's server via the Tor network, which allows for anonymous communication. Additionally, it captures five screenshots at ten-second intervals and sends those as well.
The threat extends further.
If a user copies a recipient address to transfer funds, the worm covertly replaces it with an address belonging to the attacker before the user pastes it, ensuring the funds are sent to the attacker without any indication of this change.
Moreover, the worm can proliferate when a clean USB drive is inserted into the infected computer. It scans the clean USB for common files, such as Word documents, Excel spreadsheets, and PDFs, replacing them with new shortcut files that have the same names, thus infecting the drive and continuing the cycle.
Microsoft recommends disabling AutoRun for removable devices, blocking .lnk file executions on USB drives via group policy, and limiting script hosts like wscript.exe and cscript.exe. Users of Microsoft Defender can also conduct queries to hunt for related activities, including connections to a local Tor proxy on port 9050.
A list of indicators of compromise has been published by Microsoft, which includes file hashes and .onion domains used for command-and-control servers, allowing security teams to audit their networks for potential threats.
HackCrimeLatest Crypto News- 1XRP declines 3% after dropping below $1.15 support amidst a failed breakout3 hours ago
- 2Live markets: Bitcoin has remained below its mining cost for five months, putting pressure on miners3 hours ago
- 3Bitcoin traders are betting bearish as prices approach $52,0003 hours ago
- 4Bitcoin drops beneath $63,000 as risk assets decline and the week's recovery wanes4 hours ago
- 5Ex-Celsius CEO Mashinsky receives a U.S. CFTC ban in final settlement with the regulator13 hours ago
- 6U.S. agencies propose stablecoin customer ID regulations similar to banks in new GENIUS Act proposal15 hours ago
- 7Ethereum Foundation loses another key figure as co-executive director Hsiao-Wei Wang resigns17 hours ago
- 8Crypto for Advisors: Navigating the bitcoin cycle18 hours ago
- 9Algorand reveals a roadmap to achieve quantum resistance by 202819 hours ago
- 10CoinDesk 20 performance update: Stellar (XLM) surges 10% while index drops19 hours ago
CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High
CEX Volumes Drop to Lowest Since September 2024 as RWA Perps Hit Record High
In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
By CoinDesk ResearchJun 15, 2026In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
Why it matters:
In May, combined exchange volumes fell 3.45% to $4.41T; the lowest since September 2024. RWA perpetual futures volumes rose 10.4% against the trend, hitting a new all-time high.
View Full ReportMore From Tech