Five hundred milliseconds. That is how often this malware checks your clipboard, waiting for you to paste a wallet address so it can swap it with an attacker's. Microsoft disclosed the threat on June 17, 2026, even though the campaign had been running quietly since February. The reason this matters is blunt: it targets the single most routine action in crypto, copying and pasting an address.
The malware's technical designation is a crypto clipper, and Microsoft Defender identifies it as Trojan:Win32/CryptoBandits.A. It spreads through infected USB drives on Windows systems. Binance also separately warned its own users about the campaign. This is not a simple data thief: it combines credential theft, self-propagation like a worm. A backdoor for remote control. The hack section of SpazioCrypto covers comparable incidents.
How the Attack Works
The infection chain is quiet and methodical, requiring almost no deliberate action from the victim:
- 1. Infected USB drive: Real files are hidden and replaced with shortcuts disguised as documents.
- 2. Execution: Opening the fake shortcut triggers a script that installs a worm, with scheduled tasks ensuring persistence across reboots.
- 3. Surveillance: The malware polls the Windows clipboard every 500 milliseconds and captures screenshots at regular intervals.
- 4. Theft and substitution: It scans for seed phrases and private keys, and whenever you copy a wallet address, it silently swaps it for the attacker's address.
- 5. Exfiltration: Stolen data is exfiltrated through the Tor network, masking the attacker's infrastructure.
Since February 2026, Microsoft Defender Experts have tracked a cryptocurrency clipper campaign that combines clipboard theft, wallet address replacement, worm-like functionality, and Tor-based communications, enabling both financial gain and continued access to devices.…
— Microsoft Threat Intelligence (@MsftSecIntel) June 17, 2026
Why This Clipper Is More Dangerous Than Most
Functionally, three details push this malware well beyond the typical clipboard hijacker. First, the Tor routing: by channeling communications through a local proxy and hidden onion addresses, the malware makes the operator practically untraceable. Second, the backdoor: beyond immediate theft, it allows the attacker to execute additional code later, opening the door to ransomware deployments or follow-on intrusions. The third detail is the most deceptive.
When the malware replaces a copied wallet address, it doesn't just paste any string. It generates an address that visually resembles the original, matching the first and last few characters, so a casual glance won't catch the swap. The malware targets Bitcoin across its address formats, as well as Ethereum, Tron, and Monero. This is precisely the kind of trap covered in SpazioCrypto's scams section.
How to Protect Yourself
The good news is that the countermeasures are straightforward and accessible to anyone:
- Disable AutoRun and AutoPlay: Turn off automatic execution for removable devices so USB drives can't launch anything on their own.
- Never trust an unknown USB drive: Treat every removable storage device of uncertain origin as potentially compromised.
- Verify the full address: Before sending any transaction, check the complete wallet address, not just the first and last characters.
- Use a hardware wallet: Confirm the destination address on the device's own screen, where clipboard malware cannot interfere. SpazioCrypto's self-custody guide covers the options in detail.
The single point of failure here is the clipboard. The theft happens in the half-second between copy and paste. The habit that neutralises almost all of this risk is simple and powerful: verify the full address and confirm it on a physical device before every transaction. For official updates, Microsoft's security blog and the UK's National Cyber Security Centre (NCSC) are the primary references. SpazioCrypto tracks active campaigns and related cases in the Bitcoin section.
