The malware steals private keys and replaces wallet addresses, posing risks to digital asset security and user funds.
Microsoft identified a new malware strain, Trojan:Win32/CryptoBandits.A, spreading via USB drives and targeting cryptocurrency wallets. The malware captures BIP39 mnemonic seed phrases, Bitcoin and Ethereum private keys, and replaces copied wallet addresses with attacker-controlled ones across Bitcoin, Tron, and Monero networks. It also takes screenshots every ten seconds to gather additional context on users’ activities.
The threat follows a broader surge in Windows-based crypto stealers in 2026, including Lucid Stealer, which targets browser extensions and wallets. Microsoft recommended disabling autoplay on removable media, blocking .lnk file execution from USB drives, and monitoring for proxy activity and spawned scripts to mitigate risks.
No immediate market reaction was reported, but the malware underscores growing vulnerabilities in digital asset storage and transfer mechanisms.