Microsoft flags Windows crypto clipper stealing seed phrases, keys, and wallets through Tor and USB drives

Microsoft has flagged a malicious program that has been operating quietly since February and targets Windows machines. The malicious program, dubbed CryptoBandits, can steal seed phrases, keys, and wallets through the Tor network and is transferable via USB drives. 

In a blog post published on June 17th, Microsoft Threat Intelligence and Microsoft Defender experts exposed a malicious campaign that has been draining crypto wallets without victims noticing. Microsoft security experts laid out a mix of old-school USB worm tactics and modern anonymity tooling that made the malicious program undetectable for months.

According to the researchers, the malicious campaign could execute clipboard theft, wallet address replacement, worm-like spreading, and Tor-based communication into a single program. The program also retained access to the local machine long after the malicious code was executed. 

Microsoft explains how the infection executes

Microsoft’s detailed blog post revealed that the infection began in the old-fashioned way, via a USB stick. The malware then accessed shortcut files dropped into removable drives. Once plugged into a machine, the worm component activates immediately. 

The worm component hunts down ordinary files like DOCs, spreadsheets, and PDFs on the device, hides the real ones, and replaces them with fake shortcuts carrying the same names. Once this is done, the unsuspecting Windows users click on the shortcuts, thinking they are opening the typical Word or Excel file, but instead, the action triggers the malware.

The malware then spreads itself to the machine’s USB drive and sets up scheduled tasks to keep it running after a reboot, and excludes itself from Microsoft Defender scans. 

When the actual clipper is activated in the second phase, the script-based payload leans on Windows ScriptHost and Active X objects rather than a typical installer, making it extremely hard to detect. 

Once everything is set up, the malware launches a Tor client in a hidden window and generates a unique victim ID, registers itself with a command-and-control server hidden behind a Tor onion address. This way, the malware can successfully channel information through that hidden channel without being detected. 

Microsoft on why this malware is harder to catch

Microsoft’s security team explained that the malware settles into a loop, polling its operators and scanning the clipboard roughly every half a second. The program is specifically developed to recognize 12-or 24-word BIP39 seed phrases. 

The malware scans for Ethereum keys and Bitcoin WIF-format private keys, saves a local backup, and pushes it out to the attackers serve over the Tor network. It is designed to retry the same sequence of events multiple times until the push is successful. The program then deletes the local copy, only upon a successful push, and takes multiple screenshots every second, giving the attackers a visual read of the victim’s wallet balance and activity. 

If a wallet address shows up in the clipboard, the malware can swap it for one controlled by the attacker before the victim pastes it. Copy a Bitcoin address to send a payment, and what actually lands in the destination field might belong to someone else entirely.

Microsoft Defender Antivirus now flags the threat as Trojan:Win32/CryptoBandits.A, and Defender for Endpoint watches for behaviors like suspicious JavaScript processes and curl-based data exfiltration.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.