If you’ve ever plugged a USB drive into a public computer, a colleague’s laptop, or even a printer at a cyber café, this one is for you. Microsoft Threat Intelligence and Microsoft Defender Experts recently uncovered a dangerous Windows-based cryptocurrency clipper that passes through USB drives and swaps out your cryptocurrency wallet addresses before you even realise what happened. It’s called Trojan: Win32/CryptoBandits.A, and it’s been quietly operating since at least February 2026.
For anyone in Nigeria or across Africa who buys, sells, or stores crypto, this is the kind of attack that can wipe out a wallet in seconds.
How the Clipboard Hijacking Works
Here’s what makes this malware clever and genuinely unsettling. When you plug in an infected USB drive, nothing looks wrong. You see your usual files: Word documents, Excel sheets, and PDFs. But those files have been secretly replaced. The originals are hidden, and in their place are Windows shortcut files (.lnk files) that look identical. The moment you double-click one of those fake files, the malware runs. From there, it does two things at once. It hides your original files and creates disguised shortcuts in their place. And it copies itself onto any new USB drive you plug into that same computer, ready to spread further.
This is where it gets more dangerous. Once CryptoBandits is running on your system, it monitors your clipboard, the temporary memory your computer uses whenever you copy something. Specifically, it watches for cryptocurrency wallet addresses. When you copy a wallet address to send crypto to someone, the malware intercepts it. Before you paste, it swaps your copied address with the attacker’s wallet address. You paste what you think is the right address, confirm the transaction, and your crypto goes somewhere you never intended.
The malware currently targets six cryptocurrencies. Microsoft hasn’t published the full list publicly, but major coins and tokens are included. Seed phrases, those 12 or 24 words used to recover a crypto wallet, are also being monitored and stolen. This type of attack is called clipboard hijacking. It is not new, but this version is more advanced because of how it hides.
How The Tor Connection Works and Why This Is Harder to Catch
Most malware sends stolen data back to a server. Security tools catch it by watching for unusual outgoing connections. CryptoBandits bypasses this by routing its communication through a portable Tor client it installs on the infected machine.
Tor is a legitimate privacy tool used by journalists, activists, and people in countries with internet restrictions. But it also makes network traffic very difficult to trace. The malware essentially builds its own secret tunnel and uses it to send your stolen wallet addresses and seed phrases to the attackers, without triggering typical security alerts. The “portable” part matters too. It doesn’t install Tor the normal way. It runs quietly in the background, leaving a smaller footprint.
In many parts of Nigeria and across Africa, USB drives get shared constantly. Flash drives move between computers at work, at school, at business centers, and at home, which is exactly the environment this malware was designed to exploit.
At the same time, crypto adoption across Africa has been growing fast. People use it for savings, for cross-border payments, and for freelance income from international clients. That makes African crypto holders a valuable target, even if this particular campaign wasn’t specifically aimed at the continent. The combination of shared USB culture and increasing crypto usage creates a real exposure risk.
What Should You Do To Protect Yourself?
- Stop sharing USB drives casually. If you must use a drive that’s been in another machine, scan it before opening anything. Better yet, use cloud storage for file transfers wherever possible.
- Never copy-paste a wallet address without verifying it. After pasting a wallet address, compare the first four and last four characters with the original. Manually. Every time. This single habit is the most reliable way to catch clipboard hijacking.
- Use hardware wallets or dedicated devices. If your crypto amounts are significant, managing them on a dedicated device that doesn’t browse the web or accept USB drives reduces your risk considerably.
- Keep your antivirus updated. Microsoft Defender now detects CryptoBandits.A. If you’re on Windows and your updates are current, you have some protection. But don’t rely on that alone.
- Be skeptical of files on USB drives. Even if a drive belongs to someone you trust, their machine may already be compromised without them knowing.
The attack Microsoft found is not particularly sophisticated in concept because clipboard hijacking has existed for years. What’s notable is how well it combines old tricks: USB spreading, file disguising, clipboard monitoring, and Tor routing into something hard to detect and easy to fall for. It also points to something broader. As crypto becomes more common in everyday life, the attacks targeting it are becoming more creative. Wallet security isn’t just about choosing a strong password. It’s about every step between you deciding to send crypto and that transaction actually going through.
Your crypto wallet is only as safe as the habits around it. The technology exists to steal from you quietly, and so do the people behind CryptoBandits.A have been doing exactly that for months.
Take five minutes today to check whether your Windows Defender is up to date, review how you transfer files between devices, and share this with one person in your network who holds crypto. The simplest safety habits are the ones that actually get used.
