Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.
Microsoft has issued a warning about a cryptocurrency-stealing malware that has been active since at least February 2026, which is a serious threat to crypto holders and anyone handling digital assets.
According to Microsoft Threat Intelligence, the malware, detected as Trojan/CryptoBandits, uses several attack vectors within a single application. The virus spreads via infected USB drives, and as sensitive information is stolen, the Tor network is used to transmit the data to hackers, which ensures a secure transmission layer.
The infection typically starts when a victim opens a malicious Windows shortcut (.LNK) file stored on a USB drive. Once executed, the malware scans the system for common document types such as PDF, DOC, and XLSX files. It then hides the legitimate files and replaces them with malicious shortcuts carrying identical names, increasing the likelihood that additional users will unknowingly trigger the malware.
At the core of the operation is a 'clipper' component designed to monitor clipboard activity. Every 500 milliseconds, the malware checks copied content for cryptocurrency wallet addresses, private keys, and recovery phrases. When it detects a wallet address, it silently replaces it with an attacker-controlled alternative. Every copy-and-paste operation turns into a direct opportunity for hackers to easily swap the address you are withdrawing your funds to.
Microsoft says the malware targets multiple cryptocurrency ecosystems, including Bitcoin, Ethereum, Tron, and Monero. It also searches for 12- and 24-word BIP39 seed phrases, which can provide complete access to a victim's wallet. Stolen data is then transmitted through the Tor network in order to avoid any tracing that could lead law enforcement to the hackers' real addresses or locations.
Beyond cryptocurrency theft, researchers found that the malware can capture screenshots and execute attacker-supplied code remotely. Essentially, it installs a backdoor on your system that is designed to steal data and access cryptocurrency wallets or even exchange accounts containing your assets.
The use of a bundled Tor client, scheduled tasks for persistence, and worm-like USB propagation makes the campaign particularly difficult to detect and disrupt. Microsoft advises users to verify wallet addresses before sending transactions, avoid opening unknown shortcut files, and remain cautious when using removable media devices.
U.Today Editorial Team
Dan Burgin
