A USB worm swaps your crypto address mid-paste, and no breach alarm ever fires

Cryptocurrency theft usually leaves a trail: a phishing page, a drained exchange account, a credential reused where it should not have been. The clipper campaign Microsoft Threat Intelligence detailed this week leaves none of that. It sits on the infected machine, watches the clipboard, and the instant you copy a wallet address it substitutes one of the attacker's that looks close enough to pass a glance. You paste, you approve, you send your own money to a stranger. No login was stolen. Nothing left the machine in a way your tools are built to flag. The payment was authorized, by you.

Microsoft has tracked the malware, which it detects as Trojan:Win32/CryptoBandits.A, since February 2026, and published its findings on June 17. Two things lift it above the usual stealer noise. It travels as a USB worm, a technique most defenders filed under solved a decade ago. And it runs its entire command channel over Tor, so there is no address for an egress filter to block.

Why a USB worm still works in 2026

Microsoft changed Windows in 2011 to stop AutoRun from launching code the moment you inserted a drive, a fix aimed squarely at Conficker and the worms of that era. This campaign does not need AutoRun. When an infected drive is opened, the malware hides the real documents on it, the Word, Excel, and PDF files, and drops shortcut files carrying the same names. The user sees what looks like their own files and double-clicks one. That click runs the worm. A scheduled task then waits for the next USB device and copies the malware onto it. The control everyone trusts here, "we turned off AutoRun," was never in the path. The attack runs on the user's habit of opening their own files, which is the one thing you cannot patch.

There is a specific population this is built for. People holding serious amounts of cryptocurrency keep their keys on machines that never touch the internet, and they shuttle signed transactions and seed phrases on and off those machines by USB. That workflow exists precisely to dodge network-borne malware. A USB worm that reads the clipboard is the one threat the workflow does not stop. The offline machine is not the safe machine here. It is the target. This is an blind spot rather than a single bug: the defense and the attack share the same assumption about where danger comes from.

Built to slip past the network and the endpoint at once

The campaign is engineered against the two controls most teams lean on hardest. On the network side, the C2 runs as a Tor hidden service. The malware ships a portable Tor client, routes through a local SOCKS5 proxy on port 9050, and reaches a .onion address. There is no IP and no domain to put on a blocklist, and threat-intel feeds have nothing to match against. On the endpoint side, the execution chain is Windows Script Host and ActiveX, which exist on every Windows install, and the payload is packed with PyInstaller and obfuscated with PyArmor, decrypting itself at runtime. A signature engine hunting for a known-bad file has very little to grab.

Put those together and you get malware that fits neither the model your perimeter was designed around nor the one your antivirus was. The perimeter assumes a bad destination exists to block. The antivirus assumes a malicious file exists to fingerprint. This campaign denies both on purpose. The only layer with anything to see is the one watching what a process does rather than what it is.

The theft with no event to detect

The clipboard swap is dangerous because there is no moment of loss for a tool to catch. The malware polls the clipboard roughly twice a second. When it spots a wallet address for Bitcoin, Ethereum, Tron, or Monero, it replaces it with an attacker address built to partly resemble the original. Nothing is exfiltrated at that instant. The damage lands later, when you paste and send.

The seed-phrase theft is noisier. The malware detects 12 and 24 word BIP39 recovery phrases on the clipboard, writes a copy to a local file, and pushes it out over Tor. It also lifts Ethereum and Bitcoin private keys and grabs screenshots at ten-second intervals, sending them out with the curl tool. The exfiltration is the part a data-loss tool might catch, except the traffic rides Tor, which most such tools cannot inspect.

This is the rare attack with no breach to investigate afterward. There is no popped account, no exfil spike against a named service, no credential to rotate. A user authorized a transfer to an address they believed was correct. Very little SIEM correlation logic has a rule for "the transaction was real, the user meant to send it, and it still went to the wrong place." That gap is the whole point of the technique, and it is why detecting the behavior instead of the delivery is the only approach that holds up here.

What to actually watch for

Since signatures and blocklists are the wrong instruments, the useful detections are behavioral. Worth putting in front of your hunt this week:

• wscript.exe or cscript.exe spawning curl, PowerShell, or cmd.exe, especially on a finance or developer workstation

• any process opening a local SOCKS5 proxy on port 9050, or a Tor client running on a host that has no reason to run one (Microsoft names ugate.exe as the bundled Tor binary)

• scheduled tasks created around USB insertion events

• shortcut files on removable media that point at a scripting host

On the policy side, block execution of LNK files from removable drives through Group Policy, and restrict wscript.exe and cscript.exe where users have no need for them. One sloppy attacker habit helps you: the malware saves stolen seed phrases to a local file before sending them, so a host you suspect has that file sitting on disk, alongside a Tor client and a listener on 9050. That is physical evidence rather than a fleeting packet, and it is built on the same idea as running a behavioral detection engine on the endpoint in the first place.

Takedowns and blocklists assume the threat has a fixed address you can remove. This campaign was written by people who read that assumption and designed straight through it. The shift it should force is small but real. For the machines that move money or keys, stop treating a quiet network and a clean antivirus scan as proof of a clean host, and start watching what the scripting engine and the clipboard are actually doing. The clipboard is an attack surface now. Treat it like one.