MICROSOFT WARNS OF NEW MALWARE STEALING BITCOIN SEED PHRASES AND HIJACKING WALLET ADDRESSES
Microsoft has identified a new strain of malware, dubbed “CryptoBandits,” that has been infecting Windows PCs since February and specifically targeting Bitcoin and other crypto wallets.
The attack begins with an infected USB stick. When a user clicks a malicious shortcut file, a worm installs itself on the computer and quietly goes to work.
The malware continuously monitors the Windows clipboard, looking for Bitcoin seed phrases, private keys, and wallet addresses. If it detects a seed phrase or private key, it sends the information to attackers through the Tor network while also capturing screenshots of the victim’s screen.
Even more dangerous, the malware can silently replace a copied Bitcoin address with an attacker-controlled address before a transaction is sent. The victim believes they are sending funds to the intended recipient, but the Bitcoin is redirected to the attacker instead.
The worm also spreads itself automatically. When a clean USB drive is connected, it infects the drive by disguising malicious shortcut files as ordinary documents, PDFs, spreadsheets, and other files, allowing the malware to jump from computer to computer.
The incident is another reminder that self-custody comes with responsibility. Hardware wallets protect private keys, but users should never enter seed phrases on internet-connected computers and should always verify recipient addresses on the hardware wallet screen before sending Bitcoin.
Microsoft recommends disabling USB AutoRun, blocking shortcut file execution from removable drives, and restricting Windows script hosts to reduce exposure.
Microsoft has identified a new strain of malware, dubbed “CryptoBandits,” that has been infecting Windows PCs since February and specifically targeting Bitcoin and other crypto wallets.
The attack begins with an infected USB stick. When a user clicks a malicious shortcut file, a worm installs itself on the computer and quietly goes to work.
The malware continuously monitors the Windows clipboard, looking for Bitcoin seed phrases, private keys, and wallet addresses. If it detects a seed phrase or private key, it sends the information to attackers through the Tor network while also capturing screenshots of the victim’s screen.
Even more dangerous, the malware can silently replace a copied Bitcoin address with an attacker-controlled address before a transaction is sent. The victim believes they are sending funds to the intended recipient, but the Bitcoin is redirected to the attacker instead.
The worm also spreads itself automatically. When a clean USB drive is connected, it infects the drive by disguising malicious shortcut files as ordinary documents, PDFs, spreadsheets, and other files, allowing the malware to jump from computer to computer.
The incident is another reminder that self-custody comes with responsibility. Hardware wallets protect private keys, but users should never enter seed phrases on internet-connected computers and should always verify recipient addresses on the hardware wallet screen before sending Bitcoin.
Microsoft recommends disabling USB AutoRun, blocking shortcut file execution from removable drives, and restricting Windows script hosts to reduce exposure.
86❤️8👀1
