USB-Borne Crypto Clipper Malware Targets Bitcoin and Ethereum Wallets on Windows

Microsoft has identified a USB-distributed clipboard-hijacking malware targeting Bitcoin and Ethereum wallet addresses on Windows systems since February 2026. The malware intercepts and replaces cryptocurrency wallet addresses copied to the clipboard, potentially redirecting transactions to attacker-controlled addresses.

This discovery represents a critical vulnerability in how cryptocurrency users interact with their wallets on Windows systems. Clipboard-hijacking malware operates silently in the background, making it particularly insidious because users may believe they're sending funds to legitimate addresses when transactions are actually being diverted. The use of USB distribution as an infection vector is particularly concerning because it bypasses many network-based security controls and can spread across air-gapped systems.

Clipboard-based attacks have evolved significantly as cryptocurrency adoption has grown. Traditional malware focused on keystroke logging or credential theft, but crypto-specific variants target the unique workflow of blockchain transactions. When users copy wallet addresses before pasting them into transaction fields, this malware intercepts that intermediate step. The February 2026 timeline suggests this threat has been active for months potentially, indicating real financial losses may have already occurred.

For Windows users managing significant cryptocurrency holdings, this threat creates immediate operational risk. Even users with hardware wallets remain vulnerable if they use software wallets or exchange platforms on infected systems. The impact extends beyond individual losses to broader ecosystem trust, as victims may question whether their transactions genuinely succeeded or were compromised.

Looking forward, users should implement additional verification procedures such as manually typing initial portions of addresses or using QR code verification. The broader implication is that Windows users managing substantial cryptocurrency should consider isolated machines for transaction signing or hardware wallet-exclusive workflows. Security audits of USB-connected devices and implementation of application whitelisting become increasingly important defensive measures.

• →USB-distributed malware has been targeting Windows users since at least February 2026 through clipboard hijacking
• →The malware intercepts cryptocurrency addresses and redirects transactions to attacker-controlled wallets
• →Both Bitcoin and Ethereum users are vulnerable through this attack vector
• →Traditional network security measures may not prevent USB-based infection and distribution
• →Users should implement manual address verification and consider hardware wallet solutions for security