Microsoft has identified a new cryptocurrency-targeting malware called CryptoBandits that spreads via USB drives while masquerading as benign documents, automatically substituting wallet addresses in users' clipboards to redirect funds to attacker-controlled wallets.
The malware operates by checking the clipboard every 0.5 seconds and replacing copied cryptocurrency addresses with attacker addresses before users execute transfers. Beyond clipboard interception, CryptoBandits captures seed phrases and private keys, takes screenshots of user activity, and transmits data through the Tor network to avoid detection. The worm also accepts remote commands from operators, enabling attackers to execute arbitrary code on infected systems.
Microsoft advises users to avoid connecting unknown USB devices to their computers and to manually verify wallet addresses before confirming any cryptocurrency transactions. The discovery underscores the persistent threat of supply-chain and removable-media-based attacks against cryptocurrency holders, particularly those managing substantial digital asset portfolios.