Key PointsA malicious program dubbed “crypto clipper” has been propagating via compromised USB storage devices since February 2026, according to MicrosoftClassified as Trojan:Win32/CryptoBandits, this threat continuously scans the Windows clipboard approximately every half secondThe malware exfiltrates cryptocurrency wallet recovery phrases and private credentials through the Tor anonymity networkCopied wallet addresses are replaced in real-time with addresses belonging to threat actors, redirecting cryptocurrency transactionsProtection measures include disabling AutoRun functionality and preventing .lnk file execution from removable storageCybersecurity researchers at Microsoft have uncovered a sophisticated malware campaign leveraging USB storage devices to compromise cryptocurrency wallets on Windows-based systems. The threat has been circulating since February 2026.Microsoft Warns of Tor-Based Crypto Clipper Targeting Wallet DataMicrosoft Threat Intelligence and Microsoft Defender Experts said they identified a Windows-based crypto clipper that has affected users since February 2026. The malware spreads via malicious .lnk shortcuts and… pic.twitter.com/tDZ6CNg322— Wu Blockchain (@WuBlockchain) June 19, 2026Dubbed a “crypto clipper” by Microsoft’s security team, the malicious software is detected by Windows Defender Antivirus under the designation Trojan:Win32/CryptoBandits. The technology giant published comprehensive details about this emerging threat in a recent security advisory.Infection occurs when victims connect a compromised USB device to their computer. Hidden within the drive is a weaponized shortcut file bearing the “.lnk” extension. User interaction with this file triggers the installation of a self-propagating worm.Following successful deployment, the malicious code executes dual operations simultaneously. It initiates the extraction of cryptocurrency wallet information while monitoring for additional USB devices that can serve as infection vectors.Clipboard Interception MechanismThe threat operates by continuously monitoring clipboard activity at intervals of approximately 500 milliseconds. The clipboard serves as Windows’ temporary storage for copied data during copy-paste operations.Whenever users copy sensitive cryptocurrency information—including wallet seed phrases or private keys associated with Bitcoin or Ethereum accounts—the malware instantly captures this data. The stolen credentials are subsequently transmitted to attacker-controlled infrastructure via the Tor anonymity network, effectively concealing the final destination.Additionally, the malware captures five sequential screenshots at ten-second intervals, forwarding these images to the threat actors for analysis.Beyond credential theft, the malware implements a particularly insidious functionality. When users copy a recipient wallet address for cryptocurrency transfers, the worm surreptitiously replaces it with an attacker-controlled address. Victims unknowingly paste the malicious address, inadvertently transferring their digital assets directly to cybercriminals.Propagation Methods and Mitigation StrategiesWhen uninfected USB storage is connected to a compromised system, the worm immediately springs into action. It systematically scans the removable media for legitimate documents including Word files, Excel spreadsheets, and PDF documents. The malware then substitutes these files with identically-named shortcut files containing the malicious payload. This infected drive subsequently spreads the threat to every subsequent system it contacts.Microsoft has issued several defensive recommendations to mitigate this threat. Organizations and individuals should deactivate AutoRun functionality for removable storage devices and implement group policy restrictions blocking .lnk file execution from USB drives.Additional protective measures include restricting Windows Script Host executables such as wscript.exe and cscript.exe. Organizations utilizing Microsoft Defender can deploy specialized hunting queries to identify suspicious activity, including network connections targeting local Tor proxy services operating on port 9050.The security advisory includes a comprehensive list of compromise indicators, featuring file hash values and .onion domain addresses functioning as command-and-control infrastructure, enabling security professionals to audit their environments for potential infections.Cryptocurrency exchange Binance has also acknowledged the threat, distributing Microsoft’s security warning to its user base. Cybersecurity firm NS3.AI has verified that victims have been impacted by this malware campaign since February 2026.The post USB-Borne Crypto Clipper Malware Targets Bitcoin and Ethereum Wallets on Windows appeared first on Blockonomi.