CryptoBandits Malware Hid Undetected for Four Months Before Microsoft Disclosed It

Published by James Harris on June 19, 2026June 19, 2026

CryptoBandits, a malware campaign operating undetected since February, combines USB worm propagation with Tor-based exfiltration to drain crypto wallets, and Microsoft only publicly identified it on June 17th. The four-month window before disclosure is the uncomfortable detail buried in the announcement.

Microsoft’s Threat Intelligence team describes a program built around a simple but effective trap: a worm that hides real files on USB drives and replaces them with shortcuts carrying identical names. Clicking what looks like a spreadsheet triggers the infection, which then excludes itself from Microsoft Defender scans and establishes persistence via scheduled tasks. The second-stage payload routes through a Tor onion address, giving operators a command-and-control channel that blends into normal network traffic. What makes this harder to dismiss as routine malware is the specificity of its targets: BIP39 seed phrases in 12-or-24-word format, Ethereum private keys, and Bitcoin WIF-format keys, meaning whoever built this understood crypto key formats well enough to write dedicated parsers for them.

Clipboard hijacking to swap wallet addresses is not new, but pairing it with a worm that self-replicates across USB drives expands the attack surface well beyond phishing links or compromised browser extensions.

The implications land differently depending on how people store keys. Hardware wallet users who never expose seed phrases on a Windows machine are largely out of scope here, but anyone who has typed or pasted a seed phrase on a desktop, or copied a wallet address for a transaction, sits squarely in the threat model. The malware’s screenshot loop, capturing wallet balances and activity every second, also suggests the operators are not running automated sweeps blindly but maintaining some degree of manual oversight. For institutional desks or OTC operations that use Windows machines in the transaction workflow, the address-replacement vector is the higher-order risk: a single misdirected payment on a large transfer is a clean loss with no recourse.

Microsoft Defender Antivirus now flags the threat as Trojan:Win32/CryptoBandits.A, and Defender for Endpoint has been updated to watch for suspicious JavaScript processes and curl-based exfiltration behaviors. The practical near-term step for anyone in the threat window is treating any Windows machine that handled unverified USB drives since February as potentially compromised before trusting clipboard output for a transaction.