Cybersecurity & Privacy

USB-Borne Malware Steals Crypto by Swapping Wallet Addresses on Windows

By Mag-Info Tech editorial · 2026-06-19

A worm that spreads by USB is actively targeting crypto users

A previously undetected Windows worm has been circulating since February, moving from machine to machine via ordinary USB flash drives. Once a USB drive carrying the malware is plugged into a Windows PC, the worm installs itself using a malicious Windows shortcut file (.lnk) that looks like a normal document or folder. The shortcut triggers a hidden payload that drops the worm onto the host system. From there, the malware can silently propagate to other USB drives inserted into the same computer, creating a chain of reinfection that does not require any network connection. Because the initial infection vector is physical media, the worm can jump air‑gapped systems that have no internet access, making it unusually persistent and hard to contain.

Security researchers tracking the campaign note that the worm’s behavior is consistent with financially motivated cybercrime rather than espionage or state activity. The payload is designed to harvest cryptocurrency credentials and manipulate transfers in real time, a pattern seen in “crypto clippers” that substitute wallet addresses. The fact that the malware has remained active for months suggests that attackers are refining the technique and expanding its reach. Users who copy and paste wallet addresses on infected machines risk unknowingly sending funds to attacker-controlled addresses instead of their intended recipients.

How the malware replaces wallet addresses copied to the clipboard

After gaining a foothold on a Windows machine, the worm installs a background component that continuously monitors the system clipboard. When the user copies a cryptocurrency wallet address or a seed phrase, the malware intercepts the data and compares it against a list of known wallet formats. If the clipboard contents match a supported format, the worm immediately replaces the legitimate address with one controlled by the attacker. Because this substitution happens in memory, the change is invisible to the user; the pasted address in a wallet application or exchange form will appear correct but will actually route funds to the attacker’s wallet.

In addition to address swapping, the malware can also harvest private keys and seed phrases that are copied to the clipboard. These sensitive credentials are then exfiltrated over the Tor network to a remote command-and-control server, giving attackers the ability to drain wallets directly or perform offline attacks. The combination of clipboard manipulation and data theft makes this a dual-threat toolkit: it both diverts live transactions and steals long-term access to user funds. Users who rely on clipboard managers or hardware wallets are not fully protected if the malware is already resident on the operating system.

The USB propagation chain: how one infected drive can spread widely

The worm spreads by altering the contents of USB flash drives when they are plugged into an infected computer. During each insertion, the malware searches the drive for common document folders and replaces legitimate files with shortcuts (.lnk) that have the same names and icons. When a user on a clean machine opens one of these shortcuts, it executes the worm payload instead of opening the expected file. Because the shortcuts masquerade as familiar documents—spreadsheets, PDFs, or images—the social engineering barrier is low, and victims are unlikely to suspect malicious intent.

Once the payload executes, the worm installs itself in the Windows startup directory, ensuring persistence across reboots. It then begins scanning for additional removable drives to repeat the cycle. Because the infection chain starts with physical media, traditional network defenses such as firewalls and endpoint detection are ineffective until the worm is already inside the perimeter. Organizations with strict USB policies or disabled AutoRun can still be vulnerable if users manually open the malicious shortcuts, underscoring the need for layered defenses that include user awareness and application control.

What attackers can do once they control the clipboard and exfiltrate keys

With clipboard substitution in place, attackers can silently redirect any cryptocurrency transfer that involves a copied address. This is particularly dangerous in peer-to-peer transactions, decentralized exchange withdrawals, and DeFi interactions where users routinely copy and paste wallet addresses. Even experienced users may not notice a single character change in a long hexadecimal address, especially if the malware alters the display formatting to hide the substitution.

Beyond real-time theft, the exfiltration of private keys and seed phrases gives attackers offline control over wallets. Seed phrases, in particular, can be used to regenerate private keys and restore wallets on any device, enabling attackers to drain funds long after the initial infection. This dual capability—live transaction hijacking plus long-term wallet compromise—makes the malware a high-value tool for financially motivated actors. Victims may not realize they have been compromised until funds are missing from wallets they believed were secure.

Trading isn't a casino. Stop gambling.

Real results from MEFAI's AI. Get $50 off the Pro plan.

Claim $50 off Pro →

Sponsored · Past performance is not indicative of future results. Not financial advice.

How to detect and remove the malware from an infected system

Microsoft has published a set of indicators of compromise (IOCs) that include file hashes, domain names, and Tor exit nodes used by the worm. Users and administrators can scan systems with updated antivirus signatures that include these IOCs to identify active infections. Because the worm installs a persistent component in the Windows startup directory, a simple reboot is not enough to remove it; thorough cleanup requires deleting the malicious files and registry entries, then restoring clean shortcuts on any USB drives that may have been altered.

A practical first step is to disable the Windows Script Host (wscript.exe and cscript.exe) if it is not required for business operations, as the malware leverages script execution to install itself. Blocking the execution of .lnk files from removable media via Group Policy or endpoint configuration tools can prevent the initial infection vector from being triggered. Administrators should also disable AutoRun and AutoPlay for removable drives to reduce the risk of automatic execution of malicious shortcuts.

Steps to prevent USB-borne malware from reaching your devices

The most effective prevention is to treat all removable media as potentially hostile. Users should avoid plugging unknown USB drives into workstations and should not use drives from untrusted sources for critical operations such as cryptocurrency transfers. Organizations can enforce a “deny by default” policy for removable storage, allowing only pre-approved devices to mount. Centralized management of USB policies through mobile device management (MDM) or endpoint configuration tools can reduce the attack surface significantly.

For personal users, keeping the operating system and antivirus signatures up to date is essential, but it is not sufficient on its own. Users should also disable the display of file extensions for known types so that shortcuts disguised as documents are easier to spot. Enabling full-disk encryption on portable drives can limit the impact if a drive is later found to be infected. Finally, adopting hardware wallets or secure enclave-based signing solutions can remove the need to copy private keys or wallet addresses to the clipboard, reducing the risk of clipboard hijacking.

What the rise of USB-borne crypto malware means for the ecosystem

The emergence of a clipboard-swapping, USB-propagating malware highlights a growing trend: attackers are weaponizing everyday tools and physical media to target digital assets. Unlike phishing emails or fake websites, USB-borne threats can bypass perimeter defenses and reach isolated systems, making them attractive to cybercriminals focused on cryptocurrency theft. The fact that the campaign has persisted for months suggests that attackers are iterating on the technique, potentially adding new payloads or expanding to other operating systems.

For the cryptocurrency ecosystem, the incident underscores the importance of secure key management practices. Users who rely solely on software wallets and clipboard-based transfers are increasingly vulnerable to sophisticated malware. Hardware wallets with secure display and confirmation mechanisms remain the most robust defense, as they prevent malware from intercepting or altering transaction details. Exchanges and wallet providers may need to introduce additional user-interface safeguards, such as address whitelisting and transaction previews, to mitigate the risk of clipboard manipulation.

What to watch next: evolving attack techniques and defenses

Security teams should monitor for new variants that combine clipboard hijacking with other techniques, such as ransomware or spyware, to increase monetization opportunities. The use of Tor for exfiltration suggests that attackers prioritize stealth and anonymity, making detection harder on corporate networks. Researchers will likely uncover additional propagation vectors, including Bluetooth or network shares, as attackers seek to maximize the worm’s spread.

Defenders should prepare for an increase in supply-chain-style attacks that leverage trusted peripherals or removable media. Investing in application control policies, endpoint detection and response (EDR), and user behavior analytics can help identify anomalous clipboard activity or unauthorized script execution. The cat-and-mouse nature of this threat means that proactive hardening—such as disabling unnecessary script hosts and enforcing least-privilege USB policies—will be critical to staying ahead of attackers.