Beware of USB worm threats that target cryptocurrency. Learn how to safeguard your funds. (Illustrative AI-generated image).
- A new USB worm spreads via infected drives, targeting crypto wallets.
- It steals crypto by swapping wallet addresses on your clipboard or by stealing private keys and seed phrases.
- The worm uses the Tor network to hide its communication, making it hard to detect and block.
- Anyone using a Windows computer with cryptocurrency is at risk, especially those who frequently use USB drives.
- Protect yourself by never plugging in unknown USBs, using a hardware wallet, and always double-checking wallet addresses.
- Keep your Windows updated, use reputable antivirus software, and disable USB autorun features.
You find a USB drive on the sidewalk. It looks harmless. You plug it into your computer to see what’s on it. Within seconds, a hidden program starts running. It copies your crypto wallet keys and sends them to a thief. By the time you unplug the drive, your savings are gone.
This is not a hypothetical story. It is happening right now. Security researchers have discovered a new type of malware that spreads through USB drives, targeting people who own cryptocurrency. This new USB worm crypto stealing threat is cleverer than older versions.
What Is This USB Worm?
This malware is a worm. A worm is a program that copies itself from one computer to another without needing a person to click anything. In this case, it uses USB drives as its transport.
When you plug an infected USB drive into a Windows computer, the worm jumps onto your system. It does this through a Windows shortcut file. Shortcut files are the ones with a little arrow icon that point to another file or program. The worm hides inside these shortcut files. If you double click the shortcut, thinking it is something else, the malware runs.
But the worm does not stop there. It looks for other USB drives connected to your computer. If you plug in a clean USB drive, the worm copies itself onto that drive too. Then that drive can infect the next computer. This is how it spreads from person to person, like a digital cold.
Microsoft first reported this threat in early 2025. The company said the malware is a “crypto clipper.” That is a type of malware that steals cryptocurrency by tampering with your clipboard.
How the Malware Steals Your Crypto
To understand how this works, imagine you want to send Bitcoin to a friend. You copy their wallet address from a message and paste it into your crypto app. The malware watches your clipboard. When it sees a crypto address, it swaps it with the attacker’s address. You paste, you send, and your money goes to the thief.
This trick is not new. But the USB worm adds a dangerous twist. It can also steal your wallet’s seed phrase or private key files stored on your computer. Seed phrases are the 12 or 24 words that let you recover your wallet. If the malware gets those words, the attacker can take everything.
The worm looks for files related to popular wallets like Bitcoin Core, Electrum, and others. It searches for common file names and folders. Once it finds them, it sends the data to the attacker’s server.
The stealing happens silently. You might not notice anything wrong until you check your balance later. By then, the money is gone.
Why Tor Makes It Hard to Stop
The people behind this worm are careful. They do not want to be caught. So they use the Tor network to hide their tracks.
Tor is a system that bounces internet traffic through multiple computers around the world. It makes it very hard to trace where the traffic came from. The malware talks to the attacker’s command and control server over Tor. That means security software and internet providers have a much harder time blocking the connection.
Tor also helps the malware stay hidden. Even if a security program detects something suspicious, it might not be able to see what the malware is doing. The attacker can send new commands or updates without being noticed.
This combination of USB spreading and Tor hiding makes the worm especially tricky to stop. Older crypto clippers used simple internet connections that could be blocked. This one is built to evade detection.
Who Is at Risk?
Anyone who uses a Windows computer and handles cryptocurrency is at risk. The worm does not care if you are a beginner or a veteran. It only needs one moment of carelessness.
People who use USB drives often are more exposed. This includes office workers, students, and anyone who shares files on public computers. If you plug a USB drive into a computer at a library, internet cafe, or coworking space, you could pick up the worm.
The malware targets all types of cryptocurrency wallets that store keys on your computer. That includes software wallets like Exodus, Electrum, and MetaMask (if you have the browser extension on a computer). Hardware wallets like Ledger or Trezor are safer because they keep keys offline. But if you use a hardware wallet with a computer that has the worm, it could still intercept a transaction address you copy.
There are no confirmed reports of victims losing money to this specific worm yet. But security experts say it is only a matter of time. The worm is active and spreading.
How to Protect Yourself
The good news is that you can take simple steps to stay safe. You do not need to be a computer expert.
First, never plug an unknown USB drive into your computer. If you find one on the ground, throw it away. Do not connect it out of curiosity. The risk is not worth it.
Second, use a hardware wallet for your main crypto savings. Hardware wallets keep your private keys offline. Even if your computer gets infected, the thief cannot take the coins from the hardware device. You can still use it to sign transactions safely.
Third, always double check the wallet address you are sending to. Before you hit send, look at the full address on your screen. Make sure it matches the one you copied. Some malware can change the address in the clipboard, but it cannot change what you see on your screen if you check carefully.
Fourth, keep your Windows computer updated. Microsoft releases security patches that can block known shortcut file tricks. Run Windows Update regularly.
Fifth, use good antivirus software. Many security programs can detect this worm. But because it uses Tor, some might miss it. Choose a reputable antivirus that updates its definitions often.
Sixth, disable the autorun feature on Windows. This prevents programs from starting automatically when you plug in a USB drive. You can find this setting in the Control Panel under AutoPlay.
Seventh, be careful about where you plug your USB drives. If you use a shared computer, scan your USB drive with antivirus before opening any files.
What Security Experts Say
Microsoft’s security team published a detailed report about this worm. They called it a “crypto clipper” with “worm-like propagation for persistence and control.” They warned that it could spread quickly in environments where people share USB drives.
Other security researchers agree that this threat is serious but not unstoppable. The key is awareness. If people know how the worm works, they can avoid the trap.
What Happens Next
This USB worm is likely just the beginning. Cybercriminals are always looking for new ways to steal cryptocurrency. As more people use digital money, attacks will become more common.
We can expect to see more variants of this worm. Future versions might target different operating systems or use other tricks to spread. They might also try to steal from mobile wallets or browser extensions.
The best defense is education. Know the risks. Use safe practices. And never trust a random USB drive.
If you think your computer might be infected, disconnect it from the internet. Run a full antivirus scan. Change your wallet passwords and move your funds to a safe wallet. If you suspect you have lost money, report it to local authorities and the crypto platform you used.
Staying safe in crypto is about habits. The same way you lock your front door, you should protect your digital wallet. A little caution goes a long way.
Frequently Asked Questions
What is the new USB worm targeting crypto?
It's a type of malware that spreads through infected USB drives. It acts as a "crypto clipper," meaning it can alter your clipboard to swap legitimate cryptocurrency addresses with the attacker's. It can also steal sensitive wallet information like private keys and seed phrases directly from your computer.
How does the USB worm steal cryptocurrency?
When you copy a crypto wallet address, the worm intercepts it and replaces it with the attacker's address. If you don't notice the change, your funds will be sent to the thief. It also actively searches for and steals wallet files containing your private keys or seed phrases.
Why is the Tor network a problem for stopping this worm?
The attackers use the Tor network to communicate with their command and control servers. Tor bounces internet traffic through multiple relays, making it extremely difficult to trace the origin of the connection. This helps the malware evade detection and blocking by security software and internet providers.
Who is most at risk from this USB worm?
Anyone using a Windows computer who handles cryptocurrency is at risk. Users who frequently plug USB drives into different computers, especially public ones, are more likely to encounter an infected drive. While hardware wallets are safer, even they can be vulnerable if used with an infected computer.
What are the best ways to protect my crypto from this threat?
Never plug in unknown USB drives. Always use a hardware wallet for significant holdings. Meticulously double-check every crypto wallet address before sending funds. Keep your Windows operating system and antivirus software up to date.
Can antivirus software detect this USB worm?
Reputable antivirus software can often detect this worm. However, because it uses the Tor network for communication, some security programs might have difficulty identifying or blocking its malicious activities. It's crucial to use an antivirus that is regularly updated.
What should I do if I suspect my computer is infected?
Immediately disconnect your computer from the internet. Run a full scan with your antivirus software. If you have cryptocurrency, change all your wallet passwords and move your funds to a known secure wallet, preferably a hardware wallet. Report any suspected loss to authorities.
