Crypto theft does not always start with a hacked exchange or a broken smart contract. Sometimes it starts with a copied wallet address. Microsoft Threat Intelligence has detailed a Windows malware campaign tracked as Trojan:Win32/CryptoBandits.A, describing a clipper that can spread through removable drives, watch the clipboard, and swap crypto addresses before a victim sends funds. TL;DR Microsoft has detailed a Windows-focused crypto clipper campaign known as CryptoBandits. The malware can spread through USB drives by replacing documents with malicious shortcut files. It monitors copied wallet addresses and can replace them with attacker-controlled addresses. The safest habit remains checking the full address on a trusted device before sending funds. How a clipper attack works Clipper malware targets one of the most common habits in crypto: copying and pasting wallet addresses. A user copies a legitimate destination address, but the malware watches the clipboard and replaces that address with one controlled by the attacker. The result can be brutal because nothing may look obviously wrong until the transaction is already confirmed. Blockchain transfers are difficult or impossible to reverse, and the victim may only realize what happened after checking the transaction record. Microsoft’s report says the CryptoBandits campaign uses high-frequency clipboard monitoring and can also look for sensitive crypto material such as private keys or seed phrases. That makes it more than a simple copy-paste trick. It is designed to search for the exact data crypto users cannot afford to leak. Why the USB angle matters The worm-like propagation method makes the campaign more worrying. Microsoft says the malware can spread through removable drives by hiding real documents and replacing them with malicious shortcut files that use familiar document names. That tactic leans on trust. A user opens what looks like a normal PDF, spreadsheet, or document from a USB drive, but the shortcut executes malicious code instead. It is an old social-engineering pattern applied to a crypto-specific theft objective. The campaign also uses Tor infrastructure for command-and-control traffic, according to Microsoft. By routing communication through hidden services, attackers can make the malware harder to disrupt and more difficult for traditional network defenses to inspect. The practical safety checklist For crypto users, the lesson is not complicated, but it does require discipline. Never rely only on copy and paste when sending funds. Check the first and last characters of the destination address, and for larger transfers, use a hardware wallet or wallet screen that shows the address independently of the infected computer. Users should also avoid opening files from unknown USB drives, keep Windows security tools updated, and treat shortcuts on removable storage with suspicion. If a drive suddenly shows familiar files as shortcut links, that is a warning sign. This campaign is Windows-focused, so it should not be described as a macOS or Linux threat without evidence. But the broader habit applies everywhere: crypto transactions should be verified before signing, because malware only needs one careless send to turn a clipboard trick into a permanent loss. That gives the story a wider market angle. Tokenized gold is not trying to replace Bitcoin’s role in crypto lending, but it gives lenders and borrowers another type of collateral with a very different risk profile. Bitcoin collateral is tied to crypto market beta, while gold-linked collateral is often framed around preservation, hedging, and liquidity. In a market where borrowers increasingly want more choice, that distinction matters. This article was written by the News Desk and edited by Samuel Rae . This report is based on information from Microsoft Threat Intelligence. at Microsoft Threat Intelligence
