USB Crypto Wallet Malware Spreads via Windows Shortcuts to Steal Keys

The main risk in this crypto wallet attack is not the wallet app itself but the path users take to move funds. Attackers use shortcut files on USB drives to install a worm on Windows PCs. Once active, it monitors the clipboard for private keys and wallet address patterns. When a user copies a destination address into an exchange or wallet, the malware can replace it with an attacker-controlled address.

USB shortcuts are the entry point

The flow has five steps: USB insertion, LNK shortcut execution, worm installation, clipboard monitoring, and address replacement. A file that looks like a document or folder can trigger a malicious install command. Because it behaves as a worm, it can spread to other USB drives connected to the same PC. No reliable infection count, stolen amount, or attacker-wallet count is fixed at this stage. Still, one exposed private key can put an entire wallet balance at risk, and one successful address swap can redirect the whole transfer.

Impact on Korean investors

Korean users often move between won-linked exchanges, personal wallets, and overseas DeFi services by copying addresses. That habit is exactly what clipboard hijacking targets. The won-denominated loss depends on coin amount, market price, and exchange rate at settlement. Domestic virtual-asset operators can strengthen monitoring, but an on-chain transfer signed from a personal wallet is technically and legally hard to reverse.

The last defense is verification

This threat is likely to persist in smaller repeated attacks against personal PCs and removable storage. Users should disable autorun, avoid unknown shortcuts, compare the full recipient address on a separate screen or hardware wallet, keep Windows patched, and never copy private keys to the clipboard.