Microsoft Identifies New Crypto Malware Targeting Wallet Addresses and Private Keys

TheNewsCryptoPubblicato 2026-06-19Pubblicato ultima volta 2026-06-19

Introduzione

In February 2026, Microsoft identified a new crypto clipper malware, dubbed Trojan/CryptoBandits.A, targeting Windows systems. The malware spreads via malicious shortcut files on USB drives and operates without a traditional installer or control servers by leveraging Windows Script Host and ActiveX to deploy a Tor proxy. Once active, it runs two modules: one for spreading and another for stealing information. The malware continuously monitors the clipboard for 12 or 24-word recovery phrases, Bitcoin/Ethereum private keys, and wallet addresses. When a user copies a wallet address, the malware silently swaps it with one controlled by attackers to divert funds. It also captures screenshots to gather information on wallet balances and user activity, sending data through Tor connections. Additional capabilities include remote code execution and persistence via scheduled tasks. Microsoft advises disabling auto-run features, restricting script interpreters and executable shortcuts from USB drives, and monitoring for suspicious activities like JavaScript execution, localhost:9050 proxy use, PowerShell screenshot capture, and clipboard monitoring.

In February 2026, Microsoft Threat Intelligence and Microsoft Defender Experts found a crypto clipper attack. This was a campaign that was constructed on Windows. The malware exploits cryptocurrency holders through clipboard hijacking and searches for sensitive wallet information. These were reported by Microsoft through their blog.

Attackers primarily spread this malware through malicious .lnk shortcut files distributed on USB drives.The activation of this malicious code leads to the release of two modules by the malware. One module spreads the malware across systems, while the other operates as a clipper and information stealer. Microsoft Defender Antivirus identifies the threat as Trojan/CryptoBandits.A.

Unlike most malware operations, this one does not require the use of an installer or any control servers since it uses the Windows Script Host and ActiveX technology to launch a packaged Tor proxy. It then uses a SOCKS5 proxy on the infected computer and then connects to the control servers, which run on Tor Hidden Service.

Malware Snatches Wallet Information and Swaps Addresses

Following the infection of the system, the malware constantly tracks any clipboard content and looks for recovery phrases, private keys, and wallet addresses. According to Microsoft, the malware targets precisely 12-word and 24-word recovery phrases, Bitcoin private keys, and Ethereum private keys. It swaps the copied wallet addresses with ones controlled by the attackers before users finish their transactions.

The malware takes screenshots and sends them via Tor connections, which allows the attackers to get more information on wallet balances and activities of users. Also, Microsoft stated that the malware has the ability of remote code execution, giving the attackers the possibility to send additional instructions while ensuring persistence through the use of scheduled tasks and encryption of malicious parts of the malware.

Researchers identified several indicators of compromise, including suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommended that organizations disable auto-run features. They would also limit script interpreters and executable shortcuts from USB drives, and monitor any suspicious activity related to this. This malware campaign underscores the continued growth of cryptocurrency usage among investors and users.

Highlighted Crypto News:

Ethereum Foundation Faces Another Departure as Hsiao-Wei Wang Steps Down

Domande pertinenti

QWhat type of cyber attack did Microsoft identify in February 2026, and what does this malware specifically target?

AMicrosoft identified a crypto clipper attack. The malware targets cryptocurrency holders by hijacking their clipboards to steal sensitive wallet information, including recovery phrases, private keys, and wallet addresses.

QHow does the described malware initially spread to systems, and what is its primary method of operation?

AThe malware initially spreads through malicious .lnk shortcut files distributed on USB drives. Its primary method of operation is clipboard hijacking, where it monitors and swaps copied cryptocurrency wallet addresses with ones controlled by the attackers.

QWhat is unique about the command-and-control (C2) infrastructure of this malware campaign according to the article?

AUnlike most malware, it does not require an installer or traditional control servers. Instead, it uses Windows Script Host and ActiveX to launch a packaged Tor proxy, establishes a SOCKS5 proxy on the infected computer, and connects to control servers running as Tor Hidden Services.

QBesides clipboard monitoring, what other malicious capabilities does this malware possess?

ABeyond clipboard monitoring, the malware can take screenshots and send them via Tor connections, execute remote code, and ensure persistence on the infected system through scheduled tasks and encryption of its malicious components.

QWhat specific indicators of compromise (IoCs) and defensive measures does Microsoft recommend in response to this threat?

AIndicators of compromise include suspicious JavaScript execution, localhost:9050 proxy activity, PowerShell-based screenshot capture, and clipboard monitoring behavior. Microsoft recommends disabling auto-run features, limiting script interpreters and executable shortcuts from USB drives, and monitoring for related suspicious activity.

Letture associate

Chainlink Adds 6,100 Wallets In Two Days In Strongest Growth Burst Of 2026

Chainlink experienced its strongest wallet growth burst of 2026, adding approximately 6,100 new addresses in just two days. This notable increase in network participation occurred despite LINK's price trading in a difficult market environment alongside other altcoins. The surge in new wallets is seen as a positive signal for user and investor interest, suggesting the ecosystem continues to attract attention even when price action is weak. Wallet growth is considered a useful metric as it measures real participation rather than just price speculation. For an infrastructure project like Chainlink, whose value is tied to oracle services, data, and real-world assets, such growth indicates ongoing engagement with its core technology. However, the article notes that this data point, while constructive, is not conclusive on its own. The nature of the new wallets—whether they belong to small holders, new users, or exchange-related entities—remains unclear. The report maintains a balanced perspective, stating that while this wallet growth is a positive adoption signal for LINK bulls, it does not guarantee a price increase. Skeptics may question whether this user growth translates into value capture for the token. The key takeaway is that this burst of activity should be monitored alongside other factors like transaction volume, price structure, and broader market trends for a more complete picture. The signal requires follow-through in price and demand to be fully validated.

bitcoinist38 min fa

Chainlink Adds 6,100 Wallets In Two Days In Strongest Growth Burst Of 2026

bitcoinist38 min fa

Dogecoin Open Interest Hovers Around $959 Million As Traders Wait For Recovery Signal

Dogecoin open interest remains around $959 million, indicating significant activity in derivatives despite slower weekend trading. This high level of exposure makes the market sensitive to sharp price moves, as leveraged positions can amplify volatility. However, open interest alone does not predict direction; traders must also watch price action, funding rates, and liquidation levels. As a sentiment-driven asset, Dogecoin's future depends on whether it can attract genuine spot buying to support high leverage. Currently, no clear recovery signal is present, but the engaged derivatives market means the next confirmed price move could be significant.

bitcoinist1 h fa

Dogecoin Open Interest Hovers Around $959 Million As Traders Wait For Recovery Signal

bitcoinist1 h fa

Grant Cardone raises Bitcoin holdings to 2,700 BTC – Why now?

Grant Cardone's firm Cardone Capital increased its Bitcoin holdings to approximately 2,700 BTC, purchased at an average of $59,000, amid a market downturn. This accumulation contrasts with actions from MicroStrategy, the largest corporate holder, which recently authorized selling up to $1.25 billion worth of Bitcoin after its first-ever sale in June. The broader market also saw significant selling pressure, with U.S. spot Bitcoin ETFs experiencing a record net outflow of roughly $4.06 billion in June. However, technical analysis using Bollinger Bands on the weekly chart suggests Bitcoin may have reached a potential bottom, as the price touched the lower band—a historical support level.

ambcrypto1 h fa

Grant Cardone raises Bitcoin holdings to 2,700 BTC – Why now?

ambcrypto1 h fa

In the AI Era, What's Left for Bitcoin?

As Bitcoin falls below $60,000, the author reflects on the relationship between AI and Bitcoin, seeing them as two sides of the same coin. In the AI era, the cost of generating content has plummeted, making fake text, images, and videos increasingly easy and cheap to produce. This has led to a fundamental shift: while AI dramatically lowers the cost of information production, it also undermines trust and authenticity online. What becomes truly valuable is not more content, but the ability to verify what is real—"verifiability." This perspective offers a new lens for Bitcoin. Its massive energy consumption, often criticized as wasteful, is reinterpreted. While AI burns energy to enhance "capability" and efficiency, Bitcoin burns energy to produce "verifiability." Its purpose is not to be trusted but to enable a system where no trust in intermediaries—banks, platforms, or developers—is needed. Every transaction and the entire ledger's history is secured by cryptography and a decentralized network of nodes, making it independently verifiable. AI cannot forge a transaction on the Bitcoin network because the system is designed for proof, not generation. The author draws a historical parallel to the Renaissance: the printing press drastically reduced the cost of copying knowledge, while double-entry bookkeeping reduced the cost of trust in commerce. Today, AI is the new printing press, reducing content creation costs to near zero. Blockchain, and Bitcoin as its pioneer, may be the modern equivalent of double-entry bookkeeping—a foundational technology for verifying digital asset ownership and historical records without centralized authorities. Thus, AI and blockchain are not competitors. AI lowers the cost of creation; blockchain lowers the cost of verification. In an age where AI can generate anything, true scarcity may lie not in more content, but in independently verifiable facts. Whether the market will reprice Bitcoin accordingly remains uncertain, but its core value proposition as a "machine for producing verifiability" becomes strikingly relevant.

marsbit2 h fa

marsbit2 h fa

In the Age of AI, What's Left for Bitcoin?

Author: Sevclub, Seven Research Amid Bitcoin's recent drop below $60k, the author reflects on a growing sense that AI and Bitcoin are two sides of the same coin. Today, encountering any content triggers a new default question: "Was this made by AI?" The cost of generating convincing text, images, and video is now negligible. While the internet lowered information *distribution* costs, AI is crashing information *production* costs to near zero. The consequence is a flood of content where truth and falsehood are increasingly indistinguishable. In this environment, what becomes truly valuable is not more information, but the ability to verify what is real—"verifiability." This reframes the common criticism that Bitcoin "wastes electricity." AI consumes power to produce "capability" (e.g., more powerful models). Bitcoin consumes power to produce something else: "verifiability." Bitcoin's core purpose isn't about belief or trust in any institution, developer, or even its creator. It's about enabling independent verification. Every bitcoin's origin, every transaction, and the integrity of the entire ledger are secured by mathematics, cryptography, and a global network of nodes. AI can fabricate convincing media, but it cannot falsify a transaction on the Bitcoin network. The expended energy makes篡改历史 (tampering with history) prohibitively expensive, purchasing a globally verifiable ledger. The author draws a historical parallel to the Renaissance. The printing press drastically reduced the cost of copying knowledge, while double-entry bookkeeping reduced the cost of trust in commerce—one enabled creation, the other verification. Today, AI is the new printing press, driving content production costs toward zero. The question becomes: what is this era's "double-entry bookkeeping"? Blockchain appears to be the leading candidate. It doesn't verify which news is true or which image is real, but it provides a foundational layer for independently verifying asset ownership and historical records in the digital realm without centralized authorities. Therefore, AI and blockchain are not in competition. AI lowers the cost of *generation*. Blockchain (and Bitcoin as a prime example) lowers the cost of *verification*. One creates, the other proves. Whether Bitcoin ultimately succeeds remains uncertain, facing potential challenges from quantum computing, regulation, and technical evolution. However, the author now sees it less as a "machine for making bitcoin" and more as a "machine for making verifiability." In an age where AI can generate anything, true scarcity may no longer be "more content," but "more independently verifiable facts." Whether the market will price this accordingly is a separate question.

链捕手2 h fa

In the Age of AI, What's Left for Bitcoin?

链捕手2 h fa

Trading

Spot