Microsoft found malware that hijacks crypto wallets and spreads through USB sticks

Microsoft identified a sophisticated malware strain that hijacks cryptocurrency wallets by intercepting Windows shortcut files and installing a worm capable of stealing private keys from the clipboard and redirecting transactions to attacker-controlled addresses. The malware spreads via USB drives, posing a significant threat to desktop-based crypto holders.

Microsoft's discovery of this clipboard-hijacking malware represents a critical vulnerability in the security infrastructure surrounding cryptocurrency storage and transactions. The attack leverages a multi-stage infection vector: USB-based distribution triggers shortcut file manipulation, which then deploys a worm designed to monitor and intercept clipboard data—a common vector for copying private keys and wallet addresses. This approach is particularly dangerous because it targets behavior patterns endemic to cryptocurrency users who frequently copy-paste sensitive information.

The malware's sophistication reflects an evolution in cryptocurrency-focused threats. Rather than brute-force attacks or direct exchange compromises, attackers now target the intersection of user behavior and operating system mechanics. USB-based propagation ensures offline transmission, bypassing network-level security controls, while clipboard interception requires no elevated privileges or complex exploitation chains. This parallels broader trends in cyber-attacks against crypto users, where social engineering and behavioral exploitation increasingly supplement technical vulnerabilities.

For investors and cryptocurrency enthusiasts, this threat directly impacts asset security strategies. Desktop wallets and clipboard-dependent transaction workflows face meaningful risk, particularly among less security-conscious users. Hardware wallets and air-gapped systems remain relatively protected, but the widespread use of Windows systems for crypto activity means exposure is substantial across retail and institutional segments.

The incident underscores why security practices matter as much as technological solutions. Users must implement endpoint protection, disable USB autorun features, and avoid clipboard-based transaction workflows. Exchanges and wallet providers should educate users on these emerging threats, while developers can design interfaces that reduce clipboard dependency for sensitive operations.

• →Malware intercepts Windows shortcuts and clipboard data to steal private keys and redirect cryptocurrency transfers
• →USB-based distribution mechanism bypasses network security controls and targets offline infection vectors
• →Desktop cryptocurrency wallets and clipboard-dependent workflows face elevated security risk
• →Hardware wallets and air-gapped systems provide protection against this clipboard-hijacking technique
• →Users should disable USB autorun, implement endpoint protection, and avoid clipboard-based transaction methods