Microsoft warns new ‘Crypto Clipper’ malware can steal seed phrases and hijack wallet transfers

Microsoft has uncovered a cryptocurrency-focused malware campaign that can steal seed phrases, replace wallet addresses, and maintain remote access to infected devices through the Tor network.

In a threat report published, Microsoft’s security researchers said the malware, dubbed “Crypto Clipper,” has been active since at least February 2026.

The campaign combines clipboard theft, screenshot capture, wallet-address substitution, and remote code execution capabilities, giving attackers multiple ways to target crypto users.

Microsoft Defender detects the malware as Trojan/CryptoBandits.A and related variants.

Malware targets seed phrases and wallet credentials

According to Microsoft, Crypto Clipper continuously monitors a victim’s clipboard for high-value cryptocurrency data. The data includes 12-word and 24-word seed phrases, Ethereum private keys, and Bitcoin wallet credentials.

Once detected, the information is exfiltrated through Tor-based command-and-control infrastructure. The malware also captures screenshots of the victim’s device, providing attackers with additional context on wallets and balances.

Researchers found that the malware can replace copied cryptocurrency addresses with attacker-controlled alternatives. The address substitution feature targets several blockchain networks, including Bitcoin, Tron, and Monero.

Microsoft said the malware checks copied wallet addresses and replaces them with lookalike addresses designed to reduce the chances of detection during transfers.

USB drives used for worm-like spread

The campaign also stands out for its propagation method.

Microsoft found that the malware spreads through malicious Windows shortcut (.lnk) files distributed via USB storage devices. The malicious files hide legitimate documents and replace them with shortcut files carrying the same names.

When users open what appears to be a normal document, the malware executes in the background and installs additional payloads.

The researchers said the malware deploys a portable Tor client, routes communications through hidden services, and can receive instructions from attackers, including commands that allow arbitrary code execution on compromised systems.

Microsoft warned that the combination of Tor-based communications, clipboard theft, screenshot collection, and remote tasking gives attackers both immediate monetization opportunities and ongoing control over infected devices.

Final Summary

• Microsoft identified a crypto-targeting malware campaign that steals seed phrases, captures screenshots, and replaces wallet addresses.
• The malware spreads through malicious USB shortcut files and uses Tor infrastructure to maintain communication with attackers.