OPN Intel
LIVE
BTC$76,620MAYER0.95×200W1.25×PI-CYCLE38%DRAWDOWN-39%PUELL0.81×W-RSI45BMSB0.97×
AS OF 2026-05-24
OpSec· June 19, 2026· 5 min read

Microsoft Identifies a USB Worm Swapping Crypto Addresses on Windows

On June 17, Microsoft's Security Response Center published a technical analysis of Trojan:Win32/CryptoBandits.A, a self-propagating malware worm that has targeted cryptocurrency holders on Windows PCs since February 2026. The worm spreads via infected USB drives, monitors the Windows clipboard every 500 milliseconds, silently swaps copied wallet addresses with attacker-controlled ones, and exfiltrates copied seed phrases and private keys over the Tor anonymity network. It also propagates itself to any clean USB drive inserted into an infected machine. The defensive answer is the same one it has always been for address verification: read the recipient address on your hardware wallet's display before approving the transaction.

Key takeaways

  1. On June 17, 2026, Microsoft's Security Response Center published an analysis of Trojan:Win32/CryptoBandits.A, a cryptocurrency-targeting malware worm active on Windows systems since at least February 2026. The worm spreads via malicious LNK (shortcut) files on USB drives disguised as Word, Excel, or PDF documents. When a victim opens the shortcut, the worm installs 2 persistence-enabling scheduled tasks and immediately scans for newly inserted USB drives to infect with identically named shortcuts, enabling silent propagation across any environment where drives are shared.
  2. CryptoBandits executes 2 attacks on clipboard contents, checked every 500 milliseconds. When it detects a copied cryptocurrency wallet address, it silently substitutes an attacker-controlled address before the paste, preserving a partial character match at the beginning and end of the string to reduce suspicion from casual visual inspection. When it detects a copied BIP-39 seed phrase (12 or 24 words) or a private key in WIF (Wallet Import Format), it captures the value and exfiltrates it via Tor.
  3. The malware deploys a bundled Tor (The Onion Router) client renamed as ugate.exe, routes all exfiltration through a local SOCKS5 proxy at localhost:9050, and communicates with C2 servers at .onion hidden-service addresses. This architecture makes network-level blocking difficult. The malware also captures 5 screenshots at 10-second intervals and transmits them alongside stolen data. An EVAL command in the C2 protocol converts the stealer into a persistent backdoor capable of arbitrary JavaScript execution on infected machines.
  4. The complete mitigation for address-substitution attacks is hardware wallet address verification. Every major hardware wallet, including Ledger, Trezor, Coldcard, and Blockstream Jade, displays the recipient address on its own screen before the user approves a transaction. That display is driven by the hardware wallet's firmware and is not subject to clipboard manipulation on the host computer. A user who reads the address on the hardware wallet's screen before pressing confirm cannot be defrauded by CryptoBandits' substitution regardless of what the host computer's clipboard contains.
  5. Microsoft recommends disabling AutoRun and AutoPlay for USB media, blocking .lnk execution from removable drives via Group Policy, restricting wscript.exe and cscript.exe on systems handling financial workflows, and monitoring for localhost:9050 proxy activity alongside script host execution. Microsoft Defender detects the threat as Trojan:Win32/CryptoBandits.A. No geographic targeting or threat-actor attribution has been published alongside the technical disclosure.

What Happened

On June 17, 2026, Microsoft's Security Response Center published a technical post documenting Trojan:Win32/CryptoBandits.A, a self-propagating malware worm targeting cryptocurrency holders on Windows systems since at least February 2026. The disclosure is significant not because the underlying attack category is new but because the delivery mechanism is: the worm does not require a phishing email, a malicious download, or a compromised website. It spreads through USB drives, physical media that users routinely treat as trusted, and hijacks the most routine step in any crypto transaction, copying and pasting a wallet address.

Microsoft's Defender Antivirus telemetry detected the campaign in February and tracked it through June. The malware arrives on an infected USB drive as LNK files disguised as ordinary documents. When a victim opens what appears to be a legitimate file, the LNK executes the worm payload. The worm then installs 2 scheduled tasks for persistence: one to spread itself to newly inserted USB drives, and one to run the clipboard stealer continuously in the background. The malware also deploys a Tor client renamed as ugate.exe, which bootstraps over roughly 60 seconds on first run and sits idle until it has data to exfiltrate.

How the Worm Propagates

The propagation mechanism is designed to spread silently through any environment where USB drives are shared. When CryptoBandits is active on a PC and a new, clean USB drive is inserted, the worm scans the drive for ordinary files (Word, Excel, PDFs) and replaces each with a matching LNK shortcut using the same filename. The original files are moved rather than destroyed, so the visible signal to the victim is minimal before the next machine is compromised. A user who opens those files on a different machine activates the worm on that machine. The cycle requires no network connection and no user deception beyond the initial file open.

Network defenders monitoring outbound traffic from an infected machine see Tor relay connections rather than any identifiable attacker infrastructure. The SOCKS5 proxy at localhost:9050 routes all C2 communications through the Tor network, making the destination effectively invisible to standard security monitoring. The C2 supports an EVAL command that allows operators to push arbitrary JavaScript code to infected machines, which converts what starts as a simple clipboard stealer into a persistent, remotely programmable foothold capable of deploying follow-on payloads.

The Address-Substitution Attack in Detail

The clipboard monitor polls Windows clipboard content every 500 milliseconds. Cryptocurrency wallet addresses follow predictable string patterns: Bitcoin addresses beginning with 1, 3, or bc1; Ethereum addresses beginning with 0x followed by 40 hexadecimal characters; and equivalents on other chains. When the malware detects a matching string, it replaces the clipboard with an attacker-controlled address before the paste executes. To reduce detection risk, the substitution preserves the first few and last few characters of the original address. A user who copies an address, glances at the start and end characters, and pastes into a transaction form will see what appears to be the correct address until the transaction is broadcast.

The seed-phrase exfiltration path operates differently. A BIP-39 seed phrase is a 12-to-24-word mnemonic that derives the private keys for an entire wallet hierarchy. When the malware detects a string matching that pattern in the clipboard, it does not substitute: it captures the full phrase and exfiltrates it immediately via Tor. Combined with 5 screenshots taken at 10-second intervals and transmitted alongside the seed data, operators receive both the key material and the visual context of what the victim was doing. That combination turns a single clipboard copy operation into a complete wallet compromise. The clipboard-hijacking attack category is not new. Earlier variants required phishing or download click-through to reach victims. CryptoBandits adds USB-worm propagation that requires no phishing, Tor-routed C2 that resists network blocking, and a backdoor capability that makes the stealer persistent and reusable.

Why Hardware Wallet Display Verification Closes This Gap

The hardware wallet's display is the point where the signing trust chain becomes immune to host-computer manipulation. When a user initiates a Bitcoin send transaction, the unsigned transaction data travels from the desktop software to the hardware wallet device. The hardware wallet constructs the transaction and then renders the recipient address on its own firmware-controlled screen before asking the user to approve. That rendered address comes from the hardware wallet's interpretation of the transaction data, not from the desktop application's clipboard or display. CryptoBandits can substitute the address in the clipboard and in the desktop software's address field, but it cannot substitute the address displayed on the hardware wallet's screen. The device reads from the transaction data it received, not from the compromised host's clipboard.

The verification protocol is simple: before approving a transaction, read the recipient address character by character from the hardware wallet's screen and compare it to the intended destination. If they match, the transaction goes to the correct address regardless of what CryptoBandits placed in the desktop application's form. If they do not match, the substitution is caught before broadcast. This is not a workaround that degrades over time. It is the structural property of hardware wallet design: the device provides an independent display path from the potentially compromised host computer. Every major hardware wallet, including Ledger, Trezor, Coldcard, and Blockstream Jade, implements this display path. The address on the screen is the authoritative address. The clipboard is not.

What This Means for You

If you are transacting on a Windows PC and you copy wallet addresses from anywhere on the screen, you are operating inside the attack surface CryptoBandits is designed to exploit. The malware does not require you to do anything unusual. Opening a USB drive, copying an address, pasting it into a transaction form: these are the normal steps of a normal transaction, and they are the exact steps the worm intercepts. Any Windows machine with USB access in a shared environment, offices, homes with multiple users, any space where USB drives circulate, is a potential vector. The worm requires no network connection to spread from machine to machine.

The complete defense against address-substitution attacks is hardware wallet verification. Before you approve any outbound transaction on your hardware wallet, read the recipient address on the device's screen. Not the desktop application's address field. Not the pasted text. The hardware wallet's screen. If the address on the screen matches your intended destination, approve. If it does not, reject and investigate. This check takes approximately 10 seconds and catches CryptoBandits completely regardless of how many characters the substitution preserved at the beginning and end of the string.

The seed-phrase exfiltration attack is a direct argument for keeping private keys inside hardware wallet storage and against any workflow that involves displaying, copying, or typing a BIP-39 seed phrase on a live internet-connected machine. If your seed phrase ever appears on the clipboard of an infected Windows machine, CryptoBandits captures and exfiltrates it immediately. Hardware wallets store private keys inside the device and never expose them to the host computer. This is why key control through dedicated hardware is the structural answer to this class of attack. An attacker who intercepts your clipboard captures what you showed the computer. An attacker watching a hardware wallet transaction sees only the transaction data the device chose to transmit, which contains no seed phrase, no private key, and no key material of any kind.

What to Watch

Watch Microsoft's Defender telemetry updates for expanded geographic scope or new variant detections, which would indicate the campaign is broadening beyond its February-to-June documented footprint. Published C2 infrastructure analysis from third-party threat intelligence firms may link CryptoBandits to prior campaigns or a known threat actor. Hardware wallet firmware updates from Ledger, Trezor, Coldcard, and Blockstream Jade are worth tracking for explicit address-verification prompts when clipboard activity is detected near a transaction confirmation, a UI hardening step several manufacturers have discussed in response to clipper malware trends. A formal detection policy for CryptoBandits specifically from any exchange or institutional custody provider would signal the malware has reached institutional environments beyond the retail Windows machines documented in Microsoft's initial disclosure. And watch for law enforcement action against the attacker-controlled addresses named in Microsoft's technical analysis, which would provide the first public attribution data for the campaign.

The clipboard is not part of your signing trust chain. Your hardware wallet's display is. The malware knows the difference. Now you do too.

Sources

  1. [1]Microsoft Security Response Center — 'Crypto Clipper uses Tor and worm-like propagation for persistence and control', June 17, 2026
  2. [2]CoinDesk — 'Microsoft identifies malware worm that hijacks crypto wallets, spreads through USB drives', June 19, 2026
  3. [3]The Crypto Times — 'Microsoft Uncovers Tor-Powered CryptoBandits Malware Emptying User Wallets', June 19, 2026
  4. [4]BleepingComputer — 'USB worm spreads crypto-stealing malware via Windows shortcut files', June 2026
  5. [5]Windows Report — 'Microsoft Warns of USB Malware That Replaces Cryptocurrency Wallet Addresses', June 2026
  6. [6]DailyCoin — 'Microsoft Warns of New Crypto Clipper Malware Spreading via Infected USBs', June 2026

More in OpSec

Four Years Undetected: Zcash Patches Orchard Counterfeit Bug