Microsoft and security researchers have identified a malware campaign that spreads through ordinary USB flash drives and targets people who use cryptocurrency. The malware travels via Windows shortcut files (files that end in .lnk) hidden on infected USB drives. When you plug in a compromised drive and click what looks like a normal folder or file, the malware silently installs itself on your computer.
Once installed, the malware runs quietly in the background and watches your clipboard — the temporary storage your computer uses when you copy and paste text. If it detects that you’ve copied a cryptocurrency wallet address, it instantly replaces that address with the attacker’s own address before you paste it. If you don’t notice the switch and send the payment, your cryptocurrency goes directly to the thieves. Microsoft’s analysis shows the attackers used an anonymous Tor-based network to hide their server, making it harder to shut down.
How to check if you’re affected
Affected versions include Windows 10 and Windows 11 — any Windows PC that has had a USB drive from an unknown source plugged into it recently.
To check your system: open Windows Security (search for it in the Start menu) and run a full scan. Windows Defender can detect this family of malware. If you recently plugged in a USB drive you received from someone else or found somewhere, run the scan immediately.
When sending cryptocurrency, always verify the wallet address character-by-character after pasting — look at the first 6 and last 6 characters especially. If the address changed between when you copied it and when you pasted it, do not send the payment and run a security scan right away.