Microsoft uncovers USB-spreading crypto-stealing malware

A newly discovered malware strain is targeting cryptocurrency users by spreading through USB drives and harvesting wallet credentials. Microsoft, which detected the threat, has named it Crypto Clipper due to its method of monitoring device clipboards for patterns matching wallet addresses or seed phrases. Once identified, the malware captures five screenshots over a 10-second interval and transmits both the credentials and images to attackers via the Tor network, obscuring the origin and destination of the data.

The malware’s design avoids conventional installation methods or exposed IP-based command-and-control (C2) infrastructure. Instead, it deploys a portable Tor client and routes traffic through a local SOCKS5 proxy, blending data theft with remote code execution capabilities. This approach allows Crypto Clipper to function as both a financially motivated stealer and a lightweight backdoor, expanding its potential impact beyond simple credential theft.

How the malware operates

Crypto Clipper’s propagation relies on USB drives, a vector that has seen renewed use in recent years due to its effectiveness in bypassing network-based defenses. Once a drive is infected, the malware scans the clipboard of any device it connects to, replacing cryptocurrency wallet addresses with attacker-controlled ones. The use of Tor ensures that the malware’s communications remain anonymous, complicating efforts to trace or block the exfiltration of stolen data.

Microsoft’s analysis highlights the malware’s efficiency in evading detection. By avoiding traditional C2 infrastructure and leveraging Tor’s decentralized network, Crypto Clipper reduces the risk of exposing its operators’ locations or identities. The inclusion of screenshot capture further enhances its ability to gather sensitive information, such as private keys or transaction details, that may not be visible in clipboard data alone.

Implications for security teams

The emergence of Crypto Clipper underscores the persistent threat posed by USB-based malware, particularly in environments where removable media is commonly used. Organizations handling cryptocurrency or managing digital assets should prioritize endpoint protection measures, including disabling autorun features for USB drives and implementing clipboard monitoring tools to detect unusual activity. The malware’s reliance on Tor also suggests that network-level defenses, such as blocking known Tor exit nodes or restricting SOCKS5 proxy usage, could mitigate some risks.

For individual users, the threat serves as a reminder of the importance of verifying wallet addresses before completing transactions. The use of hardware wallets or multi-signature authentication can provide additional layers of security against clipboard-based attacks. Microsoft has not disclosed the scale of infections or the geographic distribution of affected systems, but the malware’s design suggests it could target a broad range of users, from casual cryptocurrency holders to enterprise environments.

What to watch

Security researchers will likely focus on tracking the evolution of Crypto Clipper’s capabilities, particularly its potential to incorporate additional payloads or expand its target scope beyond cryptocurrency. The malware’s use of Tor and SOCKS5 proxies may also prompt renewed scrutiny of anonymous routing protocols in corporate environments. Meanwhile, organizations should assess their exposure to USB-borne threats and consider updating their incident response plans to account for clipboard-based attacks.