Microsoft finds USB worm that steals cryptocurrency through clipboard hijacking and Tor

TL;DRMicrosoft found a USB worm active since February that hijacks clipboards to swap crypto wallet addresses and routes stolen data through a portable Tor client.

Microsoft Threat Intelligence has identified a new strain of self-propagating malware that spreads through USB drives, monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases, and routes all stolen data through a portable Tor client to avoid detection. The campaign has been active since at least February 2026, according to Microsoft’s analysis published this week.

The malware, which Microsoft detects as Trojan:Win32/CryptoBandits.A, works as a classic USB worm with a modern payload. When a user plugs in an infected drive, they see what appear to be their usual document files. The originals have been hidden, replaced by Windows shortcut (.lnk) files bearing the same names that silently execute the malware when opened.

The .lnk files scan the drive for documents with .doc, .xlsx, and .pdf extensions, hide the originals, and create matching shortcut files in their place. The worm component also writes itself to any new USB drive connected to an infected machine, allowing it to spread further without user action beyond opening what looks like a normal file.