Microsoft has warned Windows users about a growing malware campaign known as Crypto Clipper that is targeting cryptocurrency holders through infected USB drives. According to the company’s threat intelligence team, the malware has been active since at least February 2026 and is designed to steal digital assets by secretly changing cryptocurrency wallet addresses during transactions.
Crypto Clipper Uses USB Drives to Spread
Researchers found that the malware spreads through malicious Windows shortcut files, also known as .lnk files, stored on removable USB devices. Once a user opens an infected shortcut, the malware hides legitimate files and replaces them with fake shortcuts that appear identical to the originals.
As a result, users may unknowingly launch the malware while accessing documents from USB drives. This method allows the threat to move from one system to another without raising immediate suspicion.
Malware Replaces Wallet Addresses in Real Time
Crypto Clipper focuses on cryptocurrency theft by monitoring clipboard activity. When a user copies a wallet address for a transaction, the malware can instantly replace it with an attacker-controlled address. Victims may then send funds to cybercriminals without noticing the change.
Microsoft reported that the malware checks clipboard content every 500 milliseconds and targets information linked to major cryptocurrencies, including:
- Bitcoin
- Ethereum
- Tron
- Monero
The malware also searches for sensitive wallet data such as seed phrases and private keys, increasing the risk of account compromise.
Tor Network Helps Attackers Stay Hidden
Unlike traditional clipper malware, Crypto Clipper uses the Tor network to communicate with hidden command-and-control servers. Researchers discovered that it includes a bundled Tor client and routes traffic through a local SOCKS5 proxy.
Furthermore, the malware can capture screenshots and execute remote commands from attackers, giving it backdoor capabilities. Security experts say this combination of old USB-based infection methods and advanced anonymity tools makes the threat particularly dangerous.
Microsoft recommends monitoring suspicious script activity, clipboard inspection behavior, Tor-related connections, and unauthorized scheduled tasks. As cryptocurrency adoption continues to grow, experts expect threats like Crypto Clipper to remain a major cybersecurity concern.
