Microsoft security researchers have discovered an expanding malware campaign specifically targeting encrypted users. This type of trojan, named Crypto Clipper, is said by Microsoft to date back to February 2026. Unlike common clipboard hijackers, this version also possesses the ability to steal sensitive information, take screenshots, and remotely execute code.
It can steal mnemonic phrases and private keys.
According to Microsoft, Crypto Clipper continuously monitors the clipboard of victims' devices, searching for high-value encrypted data. Targets include 12-word and 24-word mnemonic phrases, Ethereum private keys, and Bitcoin wallet credentials.
Once relevant content is identified, the Trojan transmits the data through a Tor-based command and control infrastructure. It also captures device screens, helping attackers to obtain more information such as wallet interfaces and account balances.
Replaceable transfer address
Another key capability of this attack is its ability to replace the user's copied wallet address. Microsoft stated that the Trojan checks the address in the clipboard and changes it to a similar address controlled by the attacker, reducing the likelihood that the user will notice anything amiss when making a transfer.
- It has been confirmed that the Bitcoin network is involved.
- At the same time, for Tron addresses
- It also covers Monero.
This means that if a user does not carefully verify the receiving address, their assets could be transferred to an attacker's wallet.
Maintaining long-term control through Tor
Microsoft also noted the concerning method of propagation used in this campaign. Researchers discovered that the Trojan deployed a portable Tor client and communicated with attackers through a hidden service.
Building on this, attackers can not only steal clipboard content but also issue further instructions to infected devices, including executing arbitrary code. Microsoft believes that the combination of clipboard theft, screenshots, Tor communication, and remote task control allows attackers to quickly monetize their gains and maintain continuous control over compromised devices.
Additional information:Microsoft stated that these types of Trojans do not only target the money transfer process, but also directly collect mnemonic phrases and private keys. Once this information is leaked, attackers can bypass the original device and directly access the relevant wallet.
