Ctrl+C and Ctrl+V, the universally loved shortcut pair, is now a big threat to your crypto wallet. Microsoft (NASDAQ: MSFT) has uncovered a new strain of malware built to quietly drain crypto
Ctrl+C and Ctrl+V, the universally loved shortcut pair, is now a big threat to your crypto wallet.
Microsoft (NASDAQ: MSFT) has uncovered a new strain of malware built to quietly drain cryptocurrency from Windows users.
In a report on June 17, Microsoft Threat Intelligence and Microsoft Defender Experts say the threat, a so-called "clipper," has been infecting devices since February 2026.
It is now flagged by Microsoft Defender Antivirus as "Trojan: Win32/CryptoBandits.A."
Related: 194-year-old tortoise survives a bizarre crypto scam
The malware's core trick is simple and scarily effective. It watches the clipboard, or the place your computer temporarily stores anything you copy. When it detects a cryptocurrency wallet address being copied, it silently swaps in an address controlled by the attacker.
A victim sending Bitcoin (BTC) or another token can paste what looks like the correct destination, only to send the funds straight to a criminal instead.
Microsoft says the malware checks the clipboard roughly every 500 milliseconds and also hunts for seed phrases and private keys, which are the credentials that unlock crypto wallets.
The campaign starts with malicious shortcut (.lnk) files, which Microsoft says were distributed on USB storage drives.
The malware bundles two parts:
The worm hides legitimate documents on a USB device and replaces them with disguised shortcuts, so a user opening what looks like a familiar file is actually launching the malware without realizing it.
To stay hidden, the malware runs in a concealed window, sets up scheduled tasks for persistence, and even excludes its own files from Defender scanning. It also checks whether Task Manager is open and shuts down if it is, an anti-analysis tactic meant to dodge anyone investigating the device.
What makes CryptoBandits notable, according to Microsoft, is its stealthy infrastructure. Rather than relying on a traditional installer or an exposed server, it deploys a portable Tor client and routes traffic through a local proxy to reach a hidden command-and-control server.
That design lets it blend data theft with remote code execution. This means a money-grabbing stealer becomes a lightweight backdoor that can run further and more dangerous attacker commands.
Related: 125 years in prison or work for the FBI? This crypto hacker chose wisely
