Microsoft warns of CryptoBandits clipboard malware
Microsoft on June 17, 2026 warned that CryptoBandits, Windows malware spread via USB, monitors clipboards and swaps copied crypto wallet addresses.
Microsoft’s threat intelligence team on June 17, 2026 published an analysis saying a Windows malware family it labels CryptoBandits spreads via infected USB drives. The malware disguises itself as ordinary documents, runs in the background and monitors the clipboard about twice a second. When it detects a copied cryptocurrency wallet address it replaces the clipboard contents with an attacker-controlled address. The code can also capture seed phrases and private keys copied to the clipboard and take screenshots.
Microsoft noted the malware alters data on the user’s machine before a transfer and does not break blockchain cryptography; transactions that appear on the network are valid for the destination address shown at the time of confirmation.
Law enforcement and industry reports show large losses tied to scams and compromised endpoints. The FBI’s 2025 Internet Crime Report lists $11.37 billion in U.S. losses from cryptocurrency fraud, a 22 percent increase from 2024, with nearly 18,600 victims each reporting more than $100,000 and an average reported loss above $62,000. Chainalysis estimated global scam and fraud losses could reach about $17 billion in 2025. PeckShield reported platform exploit losses of roughly $2.67 billion for the year.
Attackers use several techniques to get users to approve transfers. One method asks victims to install a browser extension or paste a script that then rewrites recipient addresses on a real website so a user sends funds to an attacker-controlled wallet. Other schemes include long-running investment frauds that move victims to fake trading platforms, impostor “support” or “compensation” messages that request wallet details, fake airdrops that ask users to connect wallets and sign approvals that grant ongoing permissions, and address-poisoning where attackers send tiny transactions from similar-looking addresses so a user copies the wrong one.
Security practitioners recommend simple habits to reduce risk. Do not install browser extensions or run scripts from unverified sources. Always verify the full destination address inside the official wallet or app before sending funds and avoid copying addresses from web pages or message history without checking them. Keep seed phrases and private keys off screens and never provide them in response to unsolicited requests. Ignore unsolicited compensation forms and support messages and report suspicious contact through the service’s official channels.
Hardware wallets keep private keys offline and display the destination address on their own screen for confirmation, preventing a compromised browser from changing what a user approves. Stefan Lauer, head of infrastructure at SimpleSwap, advised: “Verify every deposit address inside the official app, and treat any hidden shortcut to extra value as a warning rather than a win.” Akhil Jonnavithula, director of business development at a hardware wallet provider, noted that devices requiring on-device confirmation and without Bluetooth or Wi-Fi make it harder for a compromised browser to alter approvals.
Microsoft classifies the family as CryptoBandits, and security professionals recommend caution with downloads and using isolated devices for final transaction confirmation.
Content on BlockPort is provided for informational purposes only and does not constitute financial guidance.
We strive to ensure the accuracy and relevance of the information we share, but we do not guarantee that all content is complete, error-free, or up to date. BlockPort disclaims any liability for losses, mistakes, or actions taken based on the material found on this site.
Always conduct your own research before making financial decisions and consider consulting with a licensed advisor.
For further details, please review our Terms of Use, Privacy Policy, and Disclaimer.








