Microsoft Threat Intelligence disclosed a clipboard-hijacking worm targeting Bitcoin, Tron, and Monero wallets across Windows machines. It spreads via USB, exfiltrates over Tor, and has been running since at least February 2026.
A clipboard-swapping worm has been quietly redirecting Bitcoin transactions to attacker wallets since at least February 2026.
Key takeaways
Trojan:Win32/CryptoBandits.A has been active since at least February 2026, spreading via malicious USB shortcut files and silently replacing copied wallet addresses before a transaction is sent.Microsoft Threat Intelligence publicly disclosed Trojan:Win32/CryptoBandits.A on June 17, 2026, warning that the campaign has been running since at least February, combining clipboard hijacking, worm-like USB propagation, and Tor-based command-and-control to drain cryptocurrency wallets without the victim noticing until the transaction is already confirmed. The malware has been operating for four months without a public warning. That gap is exactly where sats disappear.
Per the Microsoft Security Blog, Microsoft Defender Experts described the campaign this way:
"Since February 2026, Microsoft Defender Experts have tracked a cryptocurrency clipper campaign that combines clipboard theft, wallet address replacement, worm-like functionality, and Tor-based communications, enabling both financial gain and continued access to devices." Microsoft Defender Experts, Microsoft Security Blog, June 17, 2026
The infection starts with a malicious .lnk shortcut file on a USB drive. When a Windows user clicks it, the worm installs on the host machine. From there, it waits. When a clean USB is inserted, it replicates onto that drive and the cycle continues.
Once installed, CryptoBandits polls the clipboard approximately every 500 milliseconds. When it detects a wallet address, a BIP39 seed phrase, or a private key in the expected format, it silently substitutes the attacker's address before the user pastes. The malware targets Bitcoin across all four address formats: legacy (1...), P2SH (3...), native SegWit (bc1q...), and Taproot (bc1p...). Tron and Monero addresses are also in scope.
When sensitive clipboard content is detected, the malware captures five screenshots ten seconds apart and ships them, along with any intercepted seed phrases or private keys, to a hidden-service C2 server over Tor via a portable Tor client running as a SOCKS5 proxy. The C2 connection also supports an EVAL command, giving the operators a remote code execution backdoor to push arbitrary payloads to already-infected machines.
To slow analysis, it exits if Task Manager is detected. The initial installer is obfuscated with Python, PyArmor, and PyInstaller. Secondary JavaScript payloads drop to C:\Users\Public\Documents.
Microsoft published SHA-256 indicators of compromise, MITRE ATT&CK mappings, and KQL hunting queries in the disclosure. Microsoft Defender Antivirus detects it. The strongest behavioral signals for hunters: script interpreters spawning unexpected child processes, connections to localhost port 9050, and any clipboard inspection or address-substitution activity.
Microsoft did not attribute the campaign to a specific threat actor and did not disclose victim counts or total theft figures.
The Bitcoin network was never touched. The protocol worked exactly as designed. The theft happens in a 500-millisecond window between copy and paste, at the operating system layer.
This is the discipline gap that gets people. A hardware wallet signs the transaction it's shown, not the one the user intended to create. If CryptoBandits has already swapped the address in the clipboard before the user pastes it into their wallet software, the signing device will dutifully authorize a send to the attacker. The defense is not owning a Ledger or a Coldcard. The defense is reading the full destination address on the hardware device's own trusted display, character by character, before hitting confirm. Every time.
The worm-based USB propagation adds a second problem for users who think air-gapped workflows protect them. A PSBT on a USB drive still transits a Windows host. If that host is already infected, the worm propagates to the USB and reaches the next machine in the signing workflow. The attack assumes a level of trust in physical media that shouldn't be assumed.
The supply chain attack surface on everyday computing infrastructure keeps expanding. CryptoBandits is not a sophisticated nation-state tool. It's a patient, automated worm that exploits the most common habit in self-custody: copying an address and pasting it without verification. Four months of undetected activity on Windows machines is a reasonable baseline for how long these campaigns run before anyone says anything publicly.
The surveillance and data exfiltration risk embedded in everyday software is not theoretical. Here it is, shipping screenshots of your clipboard activity to a Tor hidden service.
Microsoft has not attributed the campaign or indicated it has been shut down. Hunters should run the KQL queries Microsoft published and check for localhost:9050 Tor proxy connections on any Windows machine used for Bitcoin transactions.
Users on Windows who self-custody should treat clipboard-based address entry as an untrustworthy workflow until the host machine is clean and verified. A dedicated, air-gapped signing device running a non-Windows OS eliminates the clipboard attack surface entirely. Short of that, always verify the destination address on the hardware device's own screen before signing.
Partially. A hardware wallet signs whatever transaction it is presented with. If CryptoBandits has already replaced the destination address in the clipboard before the user pastes it into their wallet software, the hardware device will sign a send to the attacker's address.
Full protection requires verifying the complete destination address on the hardware device's own display, character by character, before confirming the transaction. Trusting the address shown on the Windows screen is not sufficient.
Yes, indirectly. CryptoBandits propagates to clean USB drives inserted into an infected Windows host. Any USB that passes through a compromised machine can carry the worm into the next device in the signing workflow. Fully mitigating this requires a dedicated signing machine that never touches a Windows host, or a hardware wallet that displays and confirms destination addresses independently of the host machine.
Microsoft published SHA-256 indicators of compromise, MITRE ATT&CK mappings, and KQL hunting queries in its June 17 Security Blog post. Key behavioral signals: script interpreters spawning unexpected child processes, connections to localhost port 9050 (Tor SOCKS5 proxy), PowerShell-based screenshot activity, and any clipboard inspection or address-substitution behavior. Microsoft Defender Antivirus detects the malware as Trojan:Win32/CryptoBandits.A.
