Microsoft security researchers have uncovered a new malware campaign targeting cryptocurrency assets that has been active since February 2026. The malware, tracked as Trojan:Win32/CryptoBandits.A, primarily spreads through infected USB drives, swiftly replacing copied wallet addresses with those belonging to threat actors. In addition to its status as a US-based technology giant, Microsoft is also recognized for its extensive cybersecurity research team that monitors digital threats worldwide.
How the malware operates
According to information provided, the infection typically begins when a USB drive carrying the malware is connected to a computer. Once attached, the malware executes its malicious payload through hidden shortcut files and is able to replicate itself onto other local storage devices. Once embedded in a Windows system, it establishes covert communication with its command and control servers using Tor-based relay nodes to mask its activity.
The greatest risk emerges during user transactions. The malware continuously monitors the system clipboard, checking it every 500 milliseconds and replacing any copied wallet address with the attacker’s address in under half a second. Unless the user manually double-checks the wallet address before confirming a transaction, the funds can end up directly in the criminal’s wallet.
Microsoft’s research team notes that the malware not only swaps wallet addresses but also scans local files in an attempt to steal private keys and recovery seed phrases.
Glossary: A seed phrase is a backup, usually comprising 12 or 24 words, that allows recovery of a cryptocurrency wallet. If compromised, a seed phrase grants full control over the assets within the wallet to whoever possesses it.
Recommended security measures
Microsoft advises users to carefully review their daily habits to protect against such attacks. Disabling the AutoRun feature on Windows devices, avoiding the use of unknown USB drives, and meticulously verifying each character in a wallet address before confirming any transfer are among the recommended precautions. Furthermore, hardware wallets that operate offline are highlighted as one of the most reliable methods for safeguarding seed phrases and digital assets.
Microsoft’s previous warnings and operations
This is not the first time Microsoft has issued warnings concerning threats targeting crypto users. Previously, the company alerted the public about two npm packages—[email protected] and [email protected]—that contained hidden malicious components. These tools collected keystrokes and screenshots through remote access malware, later leaking wallet credentials externally.
In May 2025, Microsoft led a globally coordinated operation against the Lumma Stealer group, which had been active since late 2022. As part of the initiative, authorities seized 2,300 malicious domains, while the US Department of Justice took steps to dismantle central control panels and dark web marketplaces associated with the group.
Acting under a court order, Microsoft’s Digital Crimes Unit seized 2,300 domains, while Europol EC3 and Japan’s JC3 halted operations of remaining servers across Europe and Asia.
Recent findings underline a resurgence of security threats distributed via physical carriers, posing renewed challenges for cryptocurrency users. The combination of USB-based infection and clipboard address replacement techniques has made it more important than ever for individual investors to implement diligent verification processes before finalizing any transaction.
