Microsoft Flags USB-Spreading Malware That Targets Crypto Wallets

Microsoft has identified a Windows malware campaign that targets cryptocurrency users by spreading through infected USB drives. According to CoinDesk, Microsoft describes the software as a “crypto clipper,” with Defender Antivirus detecting it as Trojan:Win32/CryptoBandits.

The development matters because the malware is designed around everyday wallet behavior: copying seed phrases, private keys or recipient addresses. For crypto users and companies handling digital assets, that makes basic endpoint security and removable-media controls part of wallet risk management, not just general IT hygiene.

The infection chain begins when a user opens a malicious Windows shortcut file from an infected USB drive. Once installed, the worm runs wallet-stealing code while also watching for clean USB drives connected to the same computer.

Microsoft said the malware checks the Windows clipboard about every 500 milliseconds. If it detects a Bitcoin or Ethereum seed phrase or private key, it can send that data to an attacker-controlled server over the Tor network. It also takes screenshots and transmits them, according to the report.

The worm can also interfere with outgoing transfers. When a user copies a recipient wallet address, the malware may silently replace it with an attacker-controlled address before the user pastes it, creating the risk that funds are sent to the wrong destination without an obvious warning.

Microsoft recommended steps including disabling AutoRun for removable media, blocking .lnk execution from USB drives through group policy, restricting script hosts such as wscript.exe and cscript.exe, and checking networks against its published indicators of compromise.