Microsoft’s cybersecurity team has uncovered a new malware campaign called “CryptoBandits” targeting cryptocurrency users. According to the findings shared by the company, this software can secretly change copied wallet addresses, causing digital assets to be sent to addresses controlled by attackers.
Method of transmission and mode of operation
Microsoft defined the threat in question as an advanced “clipper” malware. According to the findings, the software often enters the device via an infected USB drive that appears to contain trustworthy files or documents. When the user plugs this drive into his computer, the malware starts running silently in the background.
Mini dictionary: Clipper malware is a type of malware that monitors data copied to the clipboard and specifically replaces crypto wallet addresses with the attacker’s address. Tor is a network structure that aims to hide the source of internet traffic by passing it through different layers.
According to researchers, once the malware is installed in the system, it scans common file types such as Word, PDF and Excel. Then, instead of these files, it leaves shortcuts that appear to open the same file but run the malware in the background. When the user clicks on these shortcuts, he thinks that a normal action is being taken, so the threat may not be noticed for a long time.
Microsoft Defender Experts reported that the campaign, which has been tracked since February 2026, combines clipboard data theft, wallet address modification, worm-like propagation, and Tor-based communication.
Wallet addresses and seed phrases are targeted
According to Microsoft, the most striking feature of CryptoBandits is that it constantly monitors clipboard activity. Researchers stated that the software scans the contents of the clipboard every half second and searches for crypto wallet addresses and seed phrase data. It was noted that when a suitable data is found, the address is changed instantly, and if the user confirms the transaction without noticing, the assets can go directly to the attacker’s wallet.
Another covert aspect of the campaign was its use of a portable Tor client. It was stated that thanks to this structure, internet traffic is routed through the Tor network and thus the attackers try to disguise their activities.
Researchers emphasized that users should definitely re-check their wallet address before confirming payment, otherwise the copied address may be changed unnoticed.
Microsoft’s warnings for users
Microsoft recommended that USB drives of unknown origin should not be inserted into computers. The company also recommended that wallet addresses be carefully verified before cryptocurrency transfers are approved and that security software, especially Microsoft Defender, be kept up to date.
According to the company’s assessment, the increasing complexity of attack methods increases the importance of basic cyber security measures, especially for users transacting with digital assets. The campaign shows that this risk is not limited to wallet security only, but can also spread through physical devices and daily file use.
