Microsoft Warns of CryptoBandits Malware Targeting Crypto Wallet Users via USB Devices

Microsoft Warns of CryptoBandits Malware Targeting Crypto Wallet Users via USB Devices

Microsoft has warned cryptocurrency users about a malware campaign known as CryptoBandits.A, which spreads through infected USB devices and malicious Windows shortcut files. In a recent Security Blog report, the company said the malware has been active since February 2026 and is designed to steal wallet credentials, monitor clipboard activity, and replace cryptocurrency addresses during transactions, potentially putting self-custody users at risk.

How CryptoBandits Spreads

According to Microsoft, CryptoBandits typically gains access through malicious Windows shortcut (.lnk) files distributed on USB storage devices. Once executed, the malware installs itself on the victim's computer and creates scheduled tasks that allow it to remain active even after the device is restarted.

The malware also scans USB drives for commonly used files such as Word documents, spreadsheets, and PDFs. Legitimate files are hidden and replaced with shortcut files carrying the same names, increasing the likelihood that users unknowingly launch the malicious payload. This approach allows the malware to spread through routine file-sharing activities and removable storage devices, turning a simple document exchange into a potential security risk.

Monitoring Wallet Activity

After infecting a system, CryptoBandits continuously monitors clipboard activity, checking for cryptocurrency wallet addresses, private keys, and BIP39 seed phrases. Microsoft said the malware scans clipboard contents approximately every 500 milliseconds, enabling it to react almost instantly when wallet-related information is copied.

If a cryptocurrency address is detected, the malware can replace it with an attacker-controlled address before a transaction is completed. In some cases, the replacement address is intentionally made to resemble the original address, reducing the chances that users notice the alteration before confirming a transfer. The malware can also collect wallet recovery phrases and private keys, which may then be transmitted to attackers through the Tor network.

Risks for Self-Custody Users

The report highlights a key challenge for self-custody users. While hardware wallets and offline storage solutions can help protect private keys, they cannot fully prevent attacks when the computer used to manage transactions has already been compromised.

A compromised device can expose sensitive wallet information or manipulate transaction details before funds are sent, potentially bypassing the security benefits users expect from self-custody. Because of this, security experts continue to recommend verifying wallet addresses before every transaction, avoiding unknown USB devices, and maintaining strong endpoint security practices on systems used to manage digital assets.

Growing Focus on Device Security

Microsoft did not disclose how many users may have been affected or the amount of cryptocurrency potentially lost through the campaign. However, the company emphasized that endpoint security remains a critical component of protecting digital assets.

The emergence of CryptoBandits reflects a broader trend in crypto-related cybercrime, where attackers increasingly focus on exploiting user behavior and device vulnerabilities rather than attacking blockchain networks directly. As cryptocurrency adoption continues to grow, securing the devices used to access wallets may be just as important as securing the wallets themselves.

Instagram : @asetqu_official

Tiktok : @asetqu_official

Twitter : @AsetQu_Official