Future TechnologyMicrosoft Spots Self-Propagating Malware That Steals Crypto Over Tor
Key takeaways
- Microsoft discovered a new malware dubbed Crypto Clipper that hijacks clipboard-copied wallet addresses
- The malware spreads via USB drives, suggesting it targets restricted or semi-isolated networks
- It communicates with attackers over Tor, making command-and-control infrastructure harder to trace
- Victims lose funds because wallet addresses are silently swapped during copy-paste transactions
Microsoft has identified a new lightweight backdoor malware that spreads via USB drives and communicates with its operators over the Tor anonymity network. The malware, being described as a 'Crypto Clipper', works by monitoring clipboard contents and swapping out cryptocurrency wallet addresses when users copy them, silently redirecting payments to attacker-controlled wallets instead.
This is a classic but effective attack. Most people copy-paste crypto addresses rather than typing them manually, so a clipboard hijacker sitting quietly in the background can intercept real transactions without the victim noticing until it's far too late. The Tor-based communication makes tracking the command-and-control infrastructure significantly harder for researchers and law enforcement.
USB propagation is a particularly interesting distribution choice in 2026. It suggests the attackers are targeting environments where internet-based infection vectors are restricted, possibly corporate or industrial networks with tighter controls. Air-gapped or semi-isolated systems that still exchange USB drives are a known weak point.
If you're handling cryptocurrency in any professional capacity, the practical takeaway is simple: always verify the full wallet address after pasting, not just the first and last few characters. And perhaps review your organisation's USB device policies while you're at it.