Microsoft disclosed a sophisticated crypto clipper malware campaign on June 17, 2026, that has been quietly stealing cryptocurrency and private keys since February by intercepting and replacing wallet addresses during the copy-paste process. The malware, identified as Trojan:Win32/CryptoBandits.A, spreads through infected USB drives and targets the single most routine action in crypto: copying and pasting a wallet address.

How Does This Malware Actually Work?

The infection chain is methodical and requires almost no deliberate action from the victim. When someone plugs in an infected USB drive, real files are hidden and replaced with shortcuts disguised as documents. Opening the fake shortcut triggers a script that installs a worm with scheduled tasks ensuring persistence across reboots. Once installed, the malware polls the Windows clipboard every 500 milliseconds, waiting for you to copy a wallet address.

When you paste that address, the malware silently swaps it with an attacker's address. The replacement is designed to be visually deceptive, matching the first and last few characters of the original address so a casual glance won't catch the swap. The malware also captures screenshots at regular intervals and scans for seed phrases and private keys, exfiltrating stolen data through the Tor network to mask the attacker's infrastructure.

What Makes This Threat Different From Other Clipboard Hijackers?

Three technical details push this malware well beyond typical clipboard theft. First, the Tor routing makes the operator practically untraceable by channeling communications through a local proxy and hidden onion addresses. Second, the backdoor functionality allows the attacker to execute additional code later, opening the door to ransomware deployments or follow-on intrusions. Third, the address-matching deception is particularly dangerous because it exploits the human habit of only glancing at the first and last characters of a wallet address.

The malware targets Bitcoin across its address formats, as well as Ethereum, Tron, and Monero. Binance separately warned its own users about the campaign, signaling that the threat is active and ongoing.

Steps to Protect Your Crypto From Clipboard Malware

• Disable AutoRun and AutoPlay: Turn off automatic execution for removable devices so USB drives cannot launch anything on their own when plugged in.
• Never trust an unknown USB drive: Treat every removable storage device of uncertain origin as potentially compromised, and avoid plugging in USB drives from untrusted sources.
• Verify the full address before sending: Before sending any transaction, check the complete wallet address character by character, not just the first and last few characters.
• Use a hardware wallet: Confirm the destination address on the device's own screen, where clipboard malware cannot interfere, adding a physical verification layer.

The single point of failure in this attack is the clipboard itself. The theft happens in the half-second between copy and paste. The habit that neutralizes almost all of this risk is simple and powerful: verify the full address and confirm it on a physical device before every transaction.

For official updates and guidance, Microsoft's security blog and the UK's National Cyber Security Centre (NCSC) are the primary references. The FBI's 2025 Internet Crime Complaint Center (IC3) report recorded $11.4 billion in crypto fraud losses in the United States, a 22 percent surge from 2024 and an all-time record, underscoring the broader threat landscape that malware like this operates within.

The campaign's longevity since February 2026 suggests that many users may already be infected without realizing it. The quiet nature of the malware, combined with the routine nature of copy-paste operations, makes detection difficult for the average user. Security awareness and deliberate verification habits remain the most effective defenses against this type of threat.