
Microsoft is warning crypto users that a compromised Windows PC can break self-custody before a transaction is signed. Its latest report describes CryptoBandits.A, malware active since February 2026 that spreads through malicious .lnk shortcut files on USB drives and then watches wallet activity on the infected machine.
According to Microsoft, the malware hides real files on removable storage, replaces them with lookalike shortcuts, and runs a worm payload when a user thinks they are opening a document. It drops obfuscated JavaScript in the public documents folder, sets scheduled tasks for persistence, and keeps spreading to newly inserted USB devices.
For wallet users, the main risk is clipboard and secret theft. Microsoft said CryptoBandits checks the clipboard about every 500 milliseconds for BIP39 seed phrases, private keys, and crypto addresses. It can store or exfiltrate wallet secrets through Tor, and it can replace copied recipient addresses with attacker-controlled ones. The report says some replacements are designed to look similar, including certain Bitcoin, Tron, and Monero address formats.
Microsoft's guidance is practical: disable AutoRun or AutoPlay where possible, block shortcut execution from removable drives, limit script hosts, and verify the full destination address on a trusted display. Hardware wallets still help protect signing keys, but they do not make an infected computer's clipboard safe.
◆ Source
Originally published by CryptoSlate on June 22, 2026.
◆ Build with us
Every event, verified and scored. One API call away.




