Microsoft warns of Windows worm that hijacks clipboard to steal crypto wallet seeds and swap addresses, spreading via infected USB drives

A wallet‑stealing component targeting cryptocurrency activity on Windows systems is drawing attention for its combination of stealth, speed, and persistence. The malware monitors the Windows clipboard roughly every 500 milliseconds, captures crypto wallet seed phrases or private keys for Bitcoin and Ethereum wallets, exfiltrates the data to an attacker‑controlled server over the Tor network, and supplements the theft with a burst of five screenshots taken ten seconds apart. In addition to stealing credentials, it can surreptitiously redirect outgoing transfers by replacing copied recipient addresses, and it spreads further by infecting clean USB drives. Microsoft outlines multiple defensive steps, including disabling AutoRun for removable media, blocking .lnk file execution on USB drives via group policy, and restricting script hosts such as wscript.exe and cscript.exe, with Microsoft Defender hunting queries available to check for related activity, including connections to a local Tor proxy on port 9050.

Threat Overview

The core of the operation is the clipboard‑watching routine. By polling the clipboard at roughly half‑second intervals, the wallet‑stealing component positions itself to intercept sensitive material at the precise moment it is most exposed—when users copy seed phrases or private keys for Bitcoin or Ethereum wallets. The high‑frequency monitoring narrows the window in which data can be captured and transmitted, allowing the attacker to move quickly once a target item appears in memory.

Exfiltration proceeds through the Tor network, an open‑source overlay designed to provide anonymous communication. Routing stolen material through Tor complicates attribution and takedown efforts by obscuring the destination infrastructure. Alongside the credential capture, the component takes five screenshots at ten‑second intervals and sends those images as well, giving the attacker visual context about the victim’s desktop and activity during and immediately after the theft.

Transaction Interference

The risk extends beyond the initial compromise of wallet secrets. When a user copies a recipient address in preparation for sending funds, the worm silently swaps that value for an attacker‑controlled address before the user pastes it. Because the replacement occurs in the clipboard without a visible cue, a transfer may be redirected to the attacker even when a user believes they are following their normal process. This behavior targets a moment many users treat as routine, increasing the likelihood that a diversion goes unnoticed until after the funds have moved.

USB‑Based Propagation

The component also behaves like a worm when a clean USB drive is introduced. It scans the removable media for everyday items—such as ordinary files, Word documents, Excel sheets, and PDFs—then replaces them with shortcut files that use the same names. By masquerading as familiar content through these new shortcuts, the malware infects the drive and sets the stage for further spread when that media is connected elsewhere. The cycle then continues as additional systems encounter the tainted files.

Key Factors

Clipboard polling cadence: roughly every 500 milliseconds, enabling rapid capture of seed phrases and private keys associated with Bitcoin and Ethereum wallets.
Data exfiltration channel: the Tor network, used to send stolen material to an attacker’s server while providing anonymous communication.
Additional context gathering: five screenshots captured ten seconds apart and transmitted to the attacker.
Address replacement: silent substitution of a copied recipient address with an attacker‑controlled address prior to pasting, with no visible cue.
Wormlike spread: replacement of ordinary files on clean USB drives with identically named shortcut files, infecting the removable media and perpetuating the cycle.

Mitigation Guidance

Microsoft recommends a set of defensive measures tailored to the attack paths described. Disabling AutoRun for removable media reduces exposure to automatic execution as soon as a USB drive is connected. Blocking .lnk file execution on USB drives via group policy addresses the shortcut‑based impersonation used to propagate the infection. Restricting script hosts—including wscript.exe and cscript.exe—limits avenues the malware can exploit for execution and persistence. For visibility and detection, Microsoft Defender customers can run hunting queries to check for related activity, including signs of connections to a local Tor proxy on port 9050.

Operational Implications

The combination of fast clipboard monitoring, address swapping, Tor‑based exfiltration, and removable‑media propagation is designed to target both the credentials underpinning crypto ownership and the transactional layer where funds move. The clipboard focus strikes at seed phrases and private keys at the moment they are exposed in memory, while the address replacement aims to divert transfers without altering a user’s workflow. The USB mechanism, meanwhile, turns everyday file handling into a vehicle for spread, using identically named shortcuts to blend into a familiar environment.

Taken together, these behaviors show how a single component can create multiple points of failure for crypto holders operating on Windows systems. The recommendations cited by Microsoft—disabling AutoRun, blocking .lnk execution on USB drives, restricting wscript.exe and cscript.exe, and using Microsoft Defender hunting queries to identify activity such as local Tor proxy connections on port 9050—map directly to the observed tactics and provide a focused starting point for risk reduction within affected environments.