Malware dubbed CryptoBandits steals private keys and replaces wallet addresses via infected USB drives, Microsoft warns.
Microsoft identified a malware strain spreading through USB drives that hijacks cryptocurrency wallets by intercepting private keys and seed phrases. The malware, named Trojan:Win32/CryptoBandits, replaces recipient wallet addresses during transactions with attacker-controlled ones, exfiltrating data via the Tor network.
The threat has been active since February, targeting Windows users through malicious .lnk shortcut files on infected USB drives. Once installed, the malware monitors clipboard activity, swapping legitimate wallet addresses with fraudulent ones during transfers.
Microsoft advised disabling AutoRun, blocking .lnk execution on USB media, and restricting script hosts to mitigate risks. The firm also recommended checking networks against published indicators of compromise to detect infections.