Microsoft security researchers have revealed a new malware campaign targeting crypto assets that has been effective since February 2026. It was reported that the software, identified as Trojan:Win32/CryptoBandits.A, spread especially through USB memory sticks and replaced the copied wallet addresses with the addresses of the attackers in a short time. In addition to being a US-based technology company, Microsoft also has a large research team that monitors cyber security threats.
How the malware works
According to the information provided, the infection process begins by inserting a USB drive containing the malware into the computer. The software runs the malicious component via disguised shortcut files and can then spread a copy of itself to local storage devices. Once installed on the Windows system, it uses Tor-based proxy servers to hide its connection to the command servers.
The real risk occurs when the user makes a transfer. It was stated that the malware monitored the clipboard every 500 milliseconds and replaced the user’s copied wallet address with the attacker’s address within half a second. If the user does not verify the address manually, the amount sent can go directly to the attackers’ wallet.
According to the findings of Microsoft researchers, the software not only changes wallet addresses, but also tries to capture private keys and seed phrases by scanning local files.
Mini dictionary: Seed phrase is a backup phrase that helps save the crypto wallet and usually consists of 12 or 24 words. Interception of this phrase may lead to loss of control of the assets in the wallet.
Recommended precautions
Microsoft recommended reviewing daily usage habits against such attacks. It was recommended to turn off the AutoRun feature on Windows devices, not to use USB devices of unknown origin, and to check all characters in the wallet address one by one before giving transfer approval. It was also emphasized that hardware wallets, which work isolated from the internet connection, are one of the most reliable options for protecting seed phrase information.
Microsoft’s previous warnings and operations
The company has previously warned about other threats targeting crypto users. Among these, [email protected] And [email protected] There were malicious components hidden in two npm packages called . It was announced that the tools in question collected keyboard inputs and screenshots through a remote access malware and then leaked wallet credentials.
In May 2025, Microsoft spearheaded a globally coordinated operation and took comprehensive steps against the Lumma Stealer structuring, which has been stated to be active since late 2022. It was reported that 2,300 malicious domain names were seized within the scope of this operation, and the US Department of Justice intervened in the central control panel and dark network markets.
In the process carried out in line with the court decision, Microsoft’s Digital Crimes Unit seized 2,300 domain names, while Europol EC3 and Japan JC3 stopped the remaining servers in Europe and Asia.
Current findings show that malware spread through physical carriers has come to the fore again in terms of crypto security. In particular, the combination of the USB-based infection method and the address change technique targeting clipboard data makes careful verification processes even more important for individual investors.
