Copy a Bitcoin address, paste it — and the money goes to a stranger. That's the trick behind CryptoBandits, a Windows trojan Microsoft detailed in its security blog on June 17, 2026. The malware has been circulating since February, spreading through USB drives using a technique simple enough to fool almost anyone.
The infection starts with a shortcut. The worm replaces ordinary files on a USB stick — Word documents, PDFs, spreadsheets — with identically named .lnk files. Opening what looks like a regular document actually runs the trojan. After that, CryptoBandits checks the Windows clipboard every 500 milliseconds. The instant it spots a Bitcoin, Ethereum, Tron, or Monero wallet address, it swaps in an attacker-controlled address before the paste lands. The right address shows up when you copy; the wrong one reaches the recipient field.
Address swapping is only part of what it does. The malware also captures BIP39 seed phrases — the 12 to 24 words that unlock a wallet completely — along with raw private keys. All of it travels over Tor: CryptoBandits bundles its own Tor client, connects to .onion command servers, and routes stolen data through that channel. Standard network monitoring tools see almost nothing.
What keeps the threat spreading is self-replication. Plug a clean USB into an infected machine and the worm copies itself onto it immediately. In workplaces where drives change hands regularly, one contaminated stick can quietly seed an entire office network.
Microsoft's recommended steps: disable AutoPlay on USB devices, block .lnk execution from external media, and watch for unexpected activity on localhost:9050, where CryptoBandits establishes its Tor connection. For anyone regularly transacting crypto, the most practical defense is manual address checking — compare the first and last few characters after every paste. It takes three seconds and can prevent total loss.



