CryptoBandits Steals Crypto via USB Drives, Hides Behind Tor

iEXExchanger
CryptoBandits Steals Crypto via USB Drives, Hides Behind Tor

Microsoft has detailed CryptoBandits, a Windows trojan spreading via USB drives since February 2026. It swaps wallet addresses in the clipboard and exfiltrates seed phrases over the Tor network.

Copy a Bitcoin address, paste it — and the money goes to a stranger. That's the trick behind CryptoBandits, a Windows trojan Microsoft detailed in its security blog on June 17, 2026. The malware has been circulating since February, spreading through USB drives using a technique simple enough to fool almost anyone.

The infection starts with a shortcut. The worm replaces ordinary files on a USB stick — Word documents, PDFs, spreadsheets — with identically named .lnk files. Opening what looks like a regular document actually runs the trojan. After that, CryptoBandits checks the Windows clipboard every 500 milliseconds. The instant it spots a Bitcoin, Ethereum, Tron, or Monero wallet address, it swaps in an attacker-controlled address before the paste lands. The right address shows up when you copy; the wrong one reaches the recipient field.

Address swapping is only part of what it does. The malware also captures BIP39 seed phrases — the 12 to 24 words that unlock a wallet completely — along with raw private keys. All of it travels over Tor: CryptoBandits bundles its own Tor client, connects to .onion command servers, and routes stolen data through that channel. Standard network monitoring tools see almost nothing.

What keeps the threat spreading is self-replication. Plug a clean USB into an infected machine and the worm copies itself onto it immediately. In workplaces where drives change hands regularly, one contaminated stick can quietly seed an entire office network.

Microsoft's recommended steps: disable AutoPlay on USB devices, block .lnk execution from external media, and watch for unexpected activity on localhost:9050, where CryptoBandits establishes its Tor connection. For anyone regularly transacting crypto, the most practical defense is manual address checking — compare the first and last few characters after every paste. It takes three seconds and can prevent total loss.

Questions and answers

Frequently asked questions about this article

What is CryptoBandits and how does it steal crypto?

CryptoBandits is a Windows trojan that polls the clipboard every 500 milliseconds. When you copy a Bitcoin, Ethereum, Tron, or Monero wallet address, the malware replaces it with an attacker-controlled address before you paste. Funds go to the attacker. It also captures seed phrases and private keys.

How does CryptoBandits get onto a computer?

Through infected USB drives. The worm replaces files on the drive with .lnk shortcut files bearing identical names. Opening what looks like a normal document runs the trojan. Once installed, CryptoBandits copies itself onto any clean USB plugged into the infected machine.

How can you protect your crypto wallet from this malware?

Disable AutoPlay on USB devices and block .lnk execution from external drives. The most effective habit: manually verify the first and last few characters of any wallet address after pasting. Also monitor for unexpected activity on localhost:9050, where CryptoBandits establishes its Tor connection.

Why does the malware use Tor?

Tor hides the location of the attackers' command-and-control servers. CryptoBandits deploys a bundled Tor client and routes all stolen data through .onion addresses, making the traffic nearly invisible to standard network monitoring tools.