Microsoft’s Threat Intelligence team has identified a sophisticated new malware strain that spreads via USB drives and silently drains cryptocurrency wallets, the company warned in a detailed security advisory published Friday, urging users and organizations to review their endpoint security settings immediately.

The malware, which Microsoft has named CryptoBandits, has been active since at least February and has been confirmed in attacks across 14 countries, with the highest concentrations in the United States, Germany, South Korea, and Brazil. Microsoft estimates the malware has resulted in the theft of more than $45 million in cryptocurrency assets from individual and institutional victims.

CryptoBandits spreads through infected USB drives, exploiting a vulnerability in how Windows processes certain file types when a drive is connected. Once a USB device carrying the malware is plugged into a computer, the software installs itself silently in the background without requiring the user to open or execute any file. This characteristic makes it unusual among credential-stealing malware, which typically requires a user to click on a malicious link or attachment.

After installation, CryptoBandits monitors clipboard activity and replaces any cryptocurrency wallet address copied by the user with an attacker-controlled address. This means a victim who intends to transfer funds to a trusted wallet instead sends them to the attacker’s address without realizing the substitution occurred. The malware is designed to match the address format precisely, including length and prefix, making the swap difficult to notice at a glance.

The malware also performs a secondary function, scanning the infected system for wallet software, browser extensions used to access Web3 applications, and locally stored wallet seed phrases. If found, this data is exfiltrated to a command-and-control server within 60 seconds of discovery.

Microsoft said CryptoBandits had evaded detection by major antivirus engines for several months because it used fileless techniques, operating largely within system memory rather than writing recognizable executable files to disk. The company said it had worked with antivirus vendors to update signature databases and that most major security products could now detect the threat.

The company recommended that organizations disable USB AutoRun policies through Group Policy, restrict USB port access on corporate devices, and enable Microsoft Defender’s tamper protection. Individual users were advised to verify cryptocurrency wallet addresses character by character before confirming any transaction, rather than relying on a visual spot-check of the first and last few characters. Recent cryptocurrency phishing campaigns had already conditioned many users to check URLs carefully, but clipboard substitution attacks require a different kind of vigilance.

Researchers at Kaspersky and Mandiant independently confirmed the existence of the malware and corroborated Microsoft’s technical description. Mandiant said it had observed CryptoBandits being distributed through counterfeit USB drives mailed to cryptocurrency company employees in what appeared to be targeted initial access operations, as well as through infected drives shared unknowingly in office environments.

The origin of the malware has not been formally attributed. Microsoft’s advisory noted similarities with techniques used by financially motivated threat actors based in Eastern Europe, but the company said it had not reached a definitive attribution conclusion. Microsoft’s security blog contains full indicators of compromise for security teams to use in their threat-hunting operations.

The FBI issued a complementary alert Friday recommending that anyone who had plugged an unfamiliar USB device into a computer in recent months run a full security scan and check their cryptocurrency transaction history for unauthorized transfers.