Microsoft Uncovers Self-Propagating USB Malware That Hijacks Crypto via Tor

Microsoft has disclosed a newly discovered malware family dubbed Crypto Clipper — a self-propagating backdoor that spreads via USB drives, silently intercepts cryptocurrency transactions, and routes its command-and-control traffic through the Tor anonymity network. The full technical writeup is covered by Ars Technica.

What Happened

Microsoft's security researchers identified a novel malware strain with two core capabilities: autonomous USB-based propagation and clipboard hijacking. When a victim copies a cryptocurrency wallet address, the malware silently replaces it with an attacker-controlled address at the moment of paste. The victim sees what looks like their intended destination; the transaction goes somewhere else entirely. Command-and-control communications route over Tor, making the traffic difficult to block or attribute.

The "self-propagating" label is what elevates this from a nuisance to a serious threat. USB drop attacks require a willing or unwitting insider to plug in a device — this malware skips that requirement by hopping from machine to machine across any USB mass storage device that touches an infected host.

Why It Matters

USB propagation is specifically designed to defeat network-perimeter defenses. Air-gapped or segmented networks that block inbound internet connections are not immune if a USB device crosses the boundary — and in enterprise environments, USB drives cross boundaries constantly: encrypted drives from executives, test hardware from vendors, USB charging cables with storage embedded.

The Tor C2 layer compounds the detection problem. Most corporate firewalls either don't inspect Tor traffic specifically or whitelist HTTPS broadly, which Tor exploits. Without endpoint visibility, this malware can maintain persistence and receive updated wallet addresses indefinitely.

Clipboard hijacking is particularly insidious because blockchain transactions are irreversible. Once a swapped-address transaction confirms, recovery is impossible. The attack window is the few seconds between copy and paste — a gap most users never think to verify.

What to Do Right Now

Immediate steps:

1. Lock down USB autorun and autoplay on all Windows endpoints via Group Policy (Computer Configuration → Administrative Templates → Windows Components → AutoPlay Policies). Disable AutoPlay entirely for removable media.

1. Audit Tor traffic at the network edge. If your firewall logs show connections to known Tor entry nodes or .onion-resolving DNS queries, investigate those hosts immediately. Consider a blanket block on the Tor exit/entry node IP list if Tor is not a legitimate business use.

1. Force Microsoft Defender signature updates across your fleet now. Microsoft's own researchers found this, which means Defender definitions should already carry a detection signature — but only after endpoints pull the latest update.

1. Restrict USB mass storage on high-value machines (finance systems, developer workstations with production secrets) via Device Manager policy or endpoint management tools like Intune or SCCM if operational requirements allow it.

1. Notify anyone who handles cryptocurrency payments to treat clipboard-pasted wallet addresses as untrusted. Establish a secondary verification step — reading back the first and last four characters of a destination address against a known-good source before confirming any transaction.

1. Search endpoint logs for anomalous clipboard-access API calls (OpenClipboard, SetClipboardData) from processes that have no business touching the clipboard — especially anything running from %TEMP%, %APPDATA%, or unsigned executables.

If you find an infected host, isolate it before pulling the USB device — the drive itself may already carry the payload and will reinfect if plugged into a clean machine.