USB Shortcuts Turn Into Crypto Wallet Thieves

A new type of malware called CryptoBandits. A tricks users into opening a document from a USB stick, but the shortcut actually runs harmful code. The program hides itself by copying common file names like . doc or . pdf and turning them into links that launch the worm. Once active, it watches the clipboard every half‑second for any crypto secret or address that a user might copy. If it spots a 12‑ or 24‑word seed phrase, private key, or wallet address, it can save the data and send it out through Tor, or replace a copied address with one that leads to an attacker. The malware also takes screenshots of wallet screens and can keep running on the machine using scheduled tasks, making it hard to notice.The danger is that even if you use a hardware wallet for signing, the computer that copies or pastes addresses can still be compromised. A user might copy a deposit address from an exchange, paste it into the wallet software on an infected PC, and have the malware change the address before the transaction is confirmed. This means that a single insecure endpoint can expose both the private keys and the destination of funds, allowing thieves to hijack transactions before they hit the blockchain. To protect against this threat, experts recommend disabling AutoRun and AutoPlay for USB drives, blocking . lnk files from running on removable media, limiting the use of script hosts like wscript. exe and cscript. exe, and monitoring for unusual clipboard activity or local SOCKS5 proxy traffic. Hardware wallets should be used only on machines that are strictly dedicated to signing, and any device that handles wallet operations should avoid opening unknown shortcuts or executing scripts from external media. Regular checks for hidden scheduled tasks and unexpected network connections can help spot the malware early.