Microsoft has discovered a new self-propagating worm that spreads through USB drives, hunts for cryptocurrency credentials, and sends stolen data to attackers through the Tor network.
They’re calling it Crypto Clipper — and it’s more sophisticated than your average clipboard stealer.
Here’s how it works: once it lands on a machine, the malware monitors your clipboard for anything that looks like a crypto wallet address or seed phrase. When it finds a match, it swaps the address with the attacker’s — so if you’re copying a wallet address to send funds, you’re unknowingly sending them to the wrong place. It also grabs five screenshots over a 10-second window, giving the attacker visual context about what you were doing.
Both the stolen credentials and screenshots get routed through Tor using a SOCKS5 proxy, making it extremely difficult to trace the traffic back to the attacker.
What sets Crypto Clipper apart is its infrastructure — or lack of one. It doesn’t use a traditional installer or a standard command-and-control server with an exposed IP address. Instead, it deploys a portable Tor client on the infected machine and blends data theft with remote code execution. Microsoft calls it a “lightweight backdoor” that turns a financially motivated stealer into something more dangerous.
The worm propagates through USB drives, which means it can air-gap jump — spreading to networks that aren’t connected to the internet. That’s an old technique, but it still works, especially in environments where USB devices are shared freely.
Microsoft didn’t say how many systems have been affected or attribute the malware to any specific group. But the use of Tor for exfiltration and USB-based propagation suggests a deliberate effort to stay hidden and persistent.
If you’re handling crypto on machines that see USB drives from unknown sources, this is your reminder to check your clipboard before every transaction.
