Microsoft has uncovered a crypto-stealing malware campaign that skips the blockchain entirely and goes straight for the user's device, lifting seed phrases, private keys, and quietly swapping wallet addresses.
Key Takeaways
Microsoft flagged a Windows crypto clipper malware active since February 2026.
It spreads through malicious shortcut files on USB drives.
The malware steals seed phrases and swaps copied wallet addresses.It hides its command server inside the Tor network.
Microsoft Defender detects it as Trojan:Win32/CryptoBandits.A.It attacks the device, not the blockchain or the exchange.
Attacks on individual wallets are a fast-growing share of crypto theft.
Microsoft has uncovered a crypto-stealing malware campaign that skips the blockchain entirely and goes straight for the user's device, lifting seed phrases, private keys, and quietly swapping the wallet addresses people copy and paste.
What Microsoft Found
Microsoft Threat Intelligence disclosed a Windows-based cryptocurrency clipper campaign that has been running since February 2026. The malware spreads through malicious shortcut, or .lnk, files planted on USB storage devices. When a victim opens what looks like an ordinary file shortcut, the payload quietly installs two parts: a worm that copies itself to other removable drives, and a clipper module built to harvest crypto credentials.
Once active, it runs several high-value operations at once. It scans for seed phrases and private keys, captures screenshots, monitors the clipboard, replaces copied wallet addresses with attacker-controlled ones, and keeps a remote connection open through Tor. Microsoft Defender detects it as Trojan:Win32/CryptoBandits.A.
Why It Attacks the Device, Not the Chain
The most concerning part is the target. Rather than breaching an exchange or exploiting a smart contract, this malware compromises the entire ownership process at its weakest link: the computer itself. Most users concentrate their security thinking on exchange accounts, hardware wallets, and contract risk. This campaign sidesteps all of that.
The logic is simple and unforgiving. If an attacker obtains a 12 or 24-word seed phrase, a private key, or substitutes the address a user is about to send to, the blockchain's security becomes irrelevant, because the compromise happened before the transaction was ever signed. No amount of on-chain security helps when the theft occurs on the device.
How the Clipboard Attack Works
The malware continuously scans clipboard contents roughly every 500 milliseconds, hunting for seed phrases, private keys, and wallet addresses across multiple chains, with support for Bitcoin (including legacy, P2SH, Taproot, and Bech32 formats), Tron, and Monero addresses. When it detects a copied address, it can silently replace it with the attacker's address before the user pastes it into a wallet or withdrawal form. To avoid suspicion, the substitute addresses are chosen to resemble parts of the original, making a quick visual check unreliable. Captured data is then sent out through Tor, where it is far harder to trace.
The Tor Component That Makes It Hard to Stop
Rather than relying on conventional command-and-control servers, the campaign bundles its own Tor client, routes traffic through a local SOCKS5 proxy on localhost:9050, and communicates with hidden .onion services. It also supports remote code execution, running attacker-supplied code on command. Because it leans on built-in Windows scripting tools instead of a large, detectable installer, it slips past simple file-based scanning and conventional network monitoring.
Signs Your Device May Be Compromised
Because this malware avoids a bulky installer and runs through legitimate Windows tools, it leaves subtle traces rather than obvious ones here are several behaviors worth watching for:
Files on a USB drive turned into shortcuts. The worm hides your real files and replaces them with look-alike .lnk shortcuts carrying the same names, a hallmark of the infection.
Unexpected scripting activity. Additional red flags are wscript.exe or cscript.exe running from user folders or removable drives, and PowerShell launching screen captures.
An unfamiliar process or proxy. The malware runs a bundled Tor client (observed as a renamed binary) and opens a local proxy on port 9050, activity that does not belong on most personal machines.
A pasted address that does not match. If a wallet address you paste differs from the one you copied, even slightly, treat it as a serious warning sign and stop.
Microsoft recommends prioritizing behavior-based detection over simple file scanning, since the campaign is built specifically to evade the latter.
How to Protect Your Crypto From This Kind of Malware
The encouraging news is that the defenses are practical, and most trace directly to Microsoft's own recommendations. Because the attack begins at the device, that is where protection has to start.
Treat USB drives as untrusted. The campaign spreads through removable media, so Microsoft advises disabling autorun and autoplay and blocking the execution of .lnk shortcut files from USB drives. Avoid plugging in unknown drives entirely.
Always verify the full address. Since the clipper swaps copied addresses, check every character of a pasted address against the intended one, not just the first and last few. Sending a small test transaction first is a sound habit for large transfers.
Use a hardware wallet and confirm on-device. A hardware wallet keeps private keys offline and lets you verify the destination address on the device's own screen, which defeats clipboard substitution because you confirm the real address independently of the infected computer.
Never store your seed phrase digitally. The malware specifically hunts for seed phrases in clipboard and files. Keep recovery phrases offline and physical, never typed, copied, or saved on a connected device.
Keep endpoint protection current. Microsoft Defender already detects this family, so keeping Windows and antivirus updated, and running real-time protection, closes the door on known variants.
One hard truth underpins all of this: blockchain transactions are irreversible. If funds are sent to an attacker's substituted address and confirmed on-chain, there is generally no way to claw them back, no bank to call and no transaction to reverse. That permanence is exactly why prevention, not recovery, is where the effort has to go.
The Bigger Picture for Crypto Security
This campaign reinforces a lesson that keeps getting sharper: the weakest point in crypto security is often no longer the blockchain, the exchange, or the wallet provider, but the endpoint device used to access them. The data backs that shift. Blockchain analytics firm Chainalysis reported that more than $2.17 billion was stolen from crypto services in the first half of 2025, already surpassing all of 2024, with losses on pace to top $4 billion by year-end. The same report found that attacks on individuals had grown to roughly 23% of all stolen-fund activity, a share driven in part by more sophisticated individual-targeting techniques.
That is the trend CryptoBandits fits into. As attackers lean further into clipboard theft, seed-phrase extraction, and device compromise, the economics favor going after individuals directly rather than breaching hardened exchange infrastructure. Protecting the computer itself is becoming just as important as protecting the assets held on it.