Microsoft has uncovered a crypto-stealing malware campaign that skips the blockchain entirely and goes straight for the user’s device, lifting seed phrases, private keys, and quietly swapping the wallet addresses people copy and paste.
Microsoft Threat Intelligence disclosed a Windows-based cryptocurrency clipper campaign that has been running since February 2026. The malware spreads through malicious shortcut, or .lnk, files planted on USB storage devices. When a victim opens what looks like an ordinary file shortcut, the payload quietly installs two parts: a worm that copies itself to other removable drives, and a clipper module built to harvest crypto credentials.
Once active, it runs several high-value operations at once. It scans for seed phrases and private keys, captures screenshots, monitors the clipboard, replaces copied wallet addresses with attacker-controlled ones, and keeps a remote connection open through Tor. Microsoft Defender detects it as Trojan:Win32/CryptoBandits.A.
The most concerning part is the target. Rather than breaching an exchange or exploiting a smart contract, this malware compromises the entire ownership process at its weakest link: the computer itself. Most users concentrate their security thinking on exchange accounts, hardware wallets, and contract risk. This campaign sidesteps all of that.
The logic is simple and unforgiving. If an attacker obtains a 12 or 24-word seed phrase, a private key, or substitutes the address a user is about to send to, the blockchain’s security becomes irrelevant, because the compromise happened before the transaction was ever signed. No amount of on-chain security helps when the theft occurs on the device.
The malware continuously scans clipboard contents roughly every 500 milliseconds, hunting for seed phrases, private keys, and wallet addresses across multiple chains, with support for Bitcoin (including legacy, P2SH, Taproot, and Bech32 formats), Tron, and Monero addresses. When it detects a copied address, it can silently replace it with the attacker’s address before the user pastes it into a wallet or withdrawal form. To avoid suspicion, the substitute addresses are chosen to resemble parts of the original, making a quick visual check unreliable. Captured data is then sent out through Tor, where it is far harder to trace.
Rather than relying on conventional command-and-control servers, the campaign bundles its own Tor client, routes traffic through a local SOCKS5 proxy on localhost:9050, and communicates with hidden .onion services. It also supports remote code execution, running attacker-supplied code on command. Because it leans on built-in Windows scripting tools instead of a large, detectable installer, it slips past simple file-based scanning and conventional network monitoring.
Because this malware avoids a bulky installer and runs through legitimate Windows tools, it leaves subtle traces rather than obvious ones here are several behaviors worth watching for:
Microsoft recommends prioritizing behavior-based detection over simple file scanning, since the campaign is built specifically to evade the latter.
The encouraging news is that the defenses are practical, and most trace directly to Microsoft’s own recommendations. Because the attack begins at the device, that is where protection has to start.
One hard truth underpins all of this: blockchain transactions are irreversible. If funds are sent to an attacker’s substituted address and confirmed on-chain, there is generally no way to claw them back, no bank to call and no transaction to reverse. That permanence is exactly why prevention, not recovery, is where the effort has to go.
This campaign reinforces a lesson that keeps getting sharper: the weakest point in crypto security is often no longer the blockchain, the exchange, or the wallet provider, but the endpoint device used to access them. The data backs that shift. Blockchain analytics firm Chainalysis reported that more than $2.17 billion was stolen from crypto services in the first half of 2025, already surpassing all of 2024, with losses on pace to top $4 billion by year-end. The same report found that attacks on individuals had grown to roughly 23% of all stolen-fund activity, a share driven in part by more sophisticated individual-targeting techniques.
That is the trend CryptoBandits fits into. As attackers lean further into clipboard theft, seed-phrase extraction, and device compromise, the economics favor going after individuals directly rather than breaching hardened exchange infrastructure. Protecting the computer itself is becoming just as important as protecting the assets held on it.
The post Microsoft Warns of New Crypto Malware: How To Protect Your Wallet appeared first on Coindoo.
