Microsoft Warns of New Malware Stealing Crypto via USB

We may earn commissions from affiliate links or include sponsored content, clearly labeled as such. These partnerships do not influence our editorial independence or the accuracy of our reporting. By continuing to use the site you agree to our terms and conditions and privacy policy.

Article Details

Microsoft identifies a sophisticated crypto clipper spreading through USB devices to steal Bitcoin and Ethereum by hijacking system clipboards.

According to a report by the tech giant, a malware campaign active since at least February utilizes a sophisticated mix of techniques to steal funds and maintain long-term access to compromised systems.

Security experts describe the code as a hybrid between a “crypto clipper” and a backdoor, capable of communicating with attacker-controlled servers through the anonymous Tor network.

USB Devices Emerge as a Primary Attack Vector

One of the most dangerous features of this campaign is its ability to spread autonomously via external storage media. This worm-like propagation makes it particularly resilient.

Once a computer is infected, the software scans connected USB devices for common file formats, including Word documents, Excel spreadsheets, and PDF files. The malware hides the original files from the user and replaces them with malicious Windows shortcut (.lnk) files that mirror the original names.

To the average user, everything appears normal. However, opening the file triggers the malware, infecting the new system and continuing the infection cycle.

This technique allows the attack to penetrate corporate networks and offline environments where traditional internet-based threats are often blocked or restricted.

Stealing Cryptocurrency via Address Replacement

The primary objective of the campaign remains the theft of digital assets through clipboard manipulation.

The malware monitors the system clipboard approximately every half-second, searching for patterns that match cryptocurrency wallet addresses. It targets several major blockchains, including Bitcoin, Ethereum, Monero, and Tron.

When a user copies a wallet address to send funds, the program automatically replaces it with an address controlled by the attackers. If the victim fails to verify the details before confirming the transaction, the funds are sent directly to the scammers.

While clipboard hijacking has existed for years, Microsoft notes that this new version is significantly more advanced, combining the clipper approach with additional tools for data harvesting.

Backdoor Access to Sensitive Data

Beyond swapping payment addresses, the software establishes a persistent communication channel with the attackers’ servers.

It achieves this by using its own Tor client, disguised as a legitimate system process. Through this link, attackers can exfiltrate stolen seed phrases, private keys, and other sensitive data, while also pushing new instructions to the infected device.

Microsoft warns that the malware is equipped with detection-evasion mechanisms. Key components remain encrypted until the moment of execution, and the program can automatically terminate if it detects monitoring tools like Windows Task Manager.

To maintain its presence, the software creates scheduled tasks that launch it every time the computer starts, ensuring it can continue infecting new USB devices.

The Crypto Industry Remains a Top Target

This case serves as a stark reminder that growing institutional adoption of cryptocurrencies is being met with an evolution in cyber threats.

As investors funnel more capital into digital assets through ETFs and regulated platforms, cybercriminals are developing increasingly complex methods to access wallets and private keys.

Experts suggest that the best defense remains the diligent verification of addresses before sending funds, disabling the automatic execution of files from external media, and monitoring for unusual Tor activity within corporate networks.

For cryptocurrency users, Microsoft’s warning is a clear signal that even a simple USB drive can become an entry point for the theft of digital assets.

In an environment of uncertainty and market volatility, choosing a secure crypto wallet is more critical than ever for investors. For a detailed analysis of security solutions and asset protection, see the article “The Best Crypto Wallets for 2026,” which explores options based on security, convenience, and functionality.

Leave Reaction
1
Share Article
Nikolay is a cryptocurrency analyst and market writer with years of experience tracking digital asset trends and emerging blockchain technologies. A long-time crypto enthusiast, he actively trades across major exchanges and specializes in identifying early-stage projects and meme tokens. His analysis combines technical insight with a strategic, long-term investment perspective.
comment-icon Commentaries
Add your comment

Fill in necessary fields and publish