Here’s a new reason to think twice before plugging in a stray flash drive. Microsoft Threat Intelligence has flagged a fresh strain of self-propagating malware that spreads via USB drives and quietly sets its sights on your cryptocurrency.
The trick is as clever as it is nasty. Once it lands on a Windows machine, the worm sits in the background and watches the clipboard. When it spots a cryptocurrency wallet address or a seed phrase being copied — the kind of long, unmemorable strings nobody types by hand — it pounces. Clipboard hijacking like this can swap a copied address for the attacker’s own, or simply harvest the data outright, and most victims never notice until the funds are gone.
What makes this campaign stand out is its discipline around staying hidden. Rather than phoning home over ordinary connections, the malware bundles a portable Tor client and routes everything it steals through the anonymity network. That makes the traffic far harder to trace and gives defenders fewer obvious signals to catch.
According to Microsoft’s analysis, the operation has been active since at least February 2026. The USB-based spreading mechanism is a deliberate choice: it lets the worm hop across air-gapped or loosely networked systems that conventional email-borne threats can’t reach, jumping from machine to machine on shared drives.
A few takeaways worth internalizing:
- USB drives remain a real attack vector. Self-propagating worms thrive on shared and unknown removable media.
- Clipboard monitoring is a low-effort, high-reward tactic. Crypto users who copy-paste wallet details are squarely in the crosshairs.
- Tor isn’t only for privacy advocates. Attackers lean on it to bury stolen data in anonymized traffic.
The practical defenses are unglamorous but effective. Avoid plugging in flash drives of unknown origin, keep endpoint protection current, and — crucially for anyone moving crypto — always double-check that a pasted wallet address matches the one you intended before confirming a transaction. When the destination is irreversible and the amounts are real, that final glance is the cheapest insurance you’ll ever get.
Microsoft published its findings as part of ongoing threat-intelligence reporting, and the discovery is a reminder that the humble USB port still carries surprisingly modern risks.