Cybersecurity researchers at Microsoft have uncovered a sophisticated piece of malware that spreads through USB drives, intercepts cryptocurrency wallet data, and uses the Tor network to secretly transmit stolen assets to attackers.

The malware, officially tracked as Trojan:Win32/CryptoBandits.A and colloquially dubbed "Crypto Clipper," has been actively targeting Windows users since at least February 2026, according to a threat intelligence report published by Microsoft on June 17, 2026.

What is the CryptoBandits malware?

CryptoBandits is a dual-component threat: one part is a self-propagating worm that spreads between devices via USB drives, and the other is a cryptocurrency clipper and stealer that harvests wallet credentials and silently redirects outgoing transactions to attacker-controlled addresses.

What makes this campaign particularly dangerous is its operational sophistication. Rather than relying on a traditional installer or a static, IP-based command-and-control (C2) server, both of which are relatively easy for security tools to flag, CryptoBandits deploys a portable Tor client on the infected machine and routes all communications through a local SOCKS5 proxy to a hidden-service C2 server. This makes the malware's network traffic extremely difficult to trace or block.

How the infection spreads

The attack begins with a malicious Windows Shortcut (.lnk) file stored on an infected USB drive. When a victim plugs in the drive, what they see appears to be their normal collection of documents. In reality, the originals have been quietly hidden, and in their place are identically named shortcut files that execute the malware upon opening.

Once triggered, the worm component would:

Check whether the machine is already infected, downloading the full payload only if it isn't.

Scan connected USB drives for common document types, hides the originals and replaces them with new malicious .lnk shortcuts bearing the same filenames.

Create scheduled tasks to ensure both the worm and stealer components persist on the system across reboots.

Exclude its own file-based payloads from Microsoft Defender scanning to avoid immediate removal.

This method of propagation is deliberately low-profile: a user who lends a USB drive to a colleague, or who plugs a drive into a shared or public computer, can unknowingly carry the infection to entirely new networks. In short, it's the classic way how your laptop got infected during college (You know if you know).

How CryptoBandits steals cryptocurrency

Once embedded on a system, the clipper component gets to work. It polls the Windows clipboard approximately every 500 milliseconds, scanning copied content for patterns that match cryptocurrency wallet addresses and seed phrases.

The theft operates on two levels. First, the malware exfiltrates any detected wallet credentials, seed phrases, private keys, directly to the attacker's Tor-hosted C2 server. Second, and more insidiously, it performs wallet address substitution: when a user copies a recipient address to send a crypto payment, the malware silently replaces it with an attacker-controlled address before the user pastes it. The funds are then transferred directly to the attacker, with no visible cue to the victim.

To add context for attackers, the stealer also captures five screenshots taken ten seconds apart whenever sensitive clipboard data is detected, giving operators a visual snapshot of what the victim was doing, open browser tabs, financial dashboards, exchange login screens, at the moment of compromise.

Remote access and adaptability

Beyond theft, CryptoBandits includes a remote code execution capability via a command called EVAL, which allows the C2 operators to push and run arbitrary code on any infected machine. This transforms what began as a financial stealer into a general-purpose remote access tool (RAT), enabling attackers to adapt the malware's behavior after deployment without requiring a full reinfection.

The malware also incorporates several anti-analysis measures. The initial installer is a Python-based executable obfuscated with PyArmor and packaged with PyInstaller, complicating static analysis. Its JavaScript payloads — dropped to C:\\Users\\Public\\Documents — use a separate dual-layer obfuscation scheme. As an additional precaution, the malware checks for running processes and exits immediately if Task Manager is detected, making it harder to observe during live analysis.

What this means for crypto users

Malware infections through flashdrives were fading as cloud storage became the norm. CryptoBandits represents a sharp reminder that physical media remains a viable attack vector, especially because it exploits behaviors that feel routine and safe, like sharing a USB drive with a trusted colleague.

For cryptocurrency holders in particular, the risks are severe. Unlike a stolen password, a transferred cryptocurrency transaction is essentially irreversible. If an attacker substitutes a wallet address before a payment is sent, there is typically no way to recover the funds.

How to protect yourself

Microsoft has published indicators of compromise (SHA-256 hashes), MITRE ATT&CK technique mappings, and KQL hunting queries to help security teams identify existing infections. The company recommends:

Disable AutoRun/AutoPlay on Windows to prevent automatic execution from USB media.

Block .lnk file execution from removable drives via Group Policy or endpoint protection rules.

Restrict Windows Script Host (WSH) to prevent script-based payloads from running without explicit authorization.

Monitor for suspicious localhost:9050 connections, which indicate SOCKS5/Tor proxy usage — a strong behavioral indicator of this malware.

Audit networks against published indicators of compromise from Microsoft's Security Blog.

Microsoft Defender currently detects the malware family. Microsoft's Defender Experts team assisted in the investigation, though the company has not yet attributed the campaign to a specific threat actor or estimated the total number of infections.