CryptoBandits malware hijacks wallet addresses, crypto fraud hits $17B in 2025
In brief
- CryptoBandits malware replaces copied wallet addresses with attacker-controlled ones via USB drives
- Americans lost $11.37 billion to crypto fraud in 2025, a 22% increase year-over-year
- Global crypto fraud reached $17 billion in 2025, primarily targeting individual holders
- Scammers use browser extensions and fake tips to redirect funds without breaking blockchain security
The CryptoBandits Malware
Microsoft Defender flags the family as CryptoBandits. The malware extracts seed phrases and private keys from the clipboard and captures screenshots. It's designed to sit quietly, waiting for the moment you copy a wallet address. The instant it sees one, it replaces it with an attacker-controlled address—so the crypto you meant to send yourself lands with a stranger instead.
This isn't cryptography failing. It's user experience being hijacked. The blockchain remains secure. Your wallet's math is sound. But the address you're reading on screen isn't the one you think it is.
Fraud at Record Scale
The scale is staggering. In 2025, Americans reported $11.37 billion in losses from cryptocurrency fraud, a 22% increase from the year before, according to the FBI's annual Internet Crime Report. Nearly 18,600 victims each lost more than $100,000 in cryptocurrency fraud in 2025, with the average reported loss exceeding $62,000.
Worldwide, Chainalysis estimates that scams and fraud cost users up to $17 billion in 2025. PeckShield estimated 2025 exploit losses at roughly $2.67 billion, close to two-thirds of all crypto theft. Crypto fraud is having its biggest year on record, and a growing share of it targets individual holders rather than platforms.
How Scammers Redirect Your Funds
The attack vectors are simpler than most people think. A common scam pattern involves a tip about a flaw in a popular crypto service that supposedly allows unlocking a hidden bonus or claiming a larger discount. You download what looks like a helper tool. It's not.
Scammers use browser extensions and scripts that rewrite deposit addresses on legitimate websites to redirect funds to attacker wallets. Once that script is running, it quietly rewrites the deposit address shown on the real website. You open the genuine service. You see a wallet address you trust. You send your funds. The blockchain confirms the transaction. But the address was rewritten on your screen before you copied it.
A few simple habits usually stop these attacks. Double-check addresses by visiting the official website directly (not through a link). Never run unverified tools or browser extensions. Copy-paste wallet addresses only from official sources. Keep your clipboard clear of sensitive data when you're not actively using it.
Frequently asked questions
What is CryptoBandits malware and how does it steal crypto?
CryptoBandits is a Windows malware that travels on USB drives and monitors your clipboard. When you copy a wallet address, it instantly replaces it with one controlled by the attacker, so your cryptocurrency goes to the scammer instead. It also extracts seed phrases and private keys from the clipboard.
How big is the crypto fraud problem right now?
In 2025, Americans alone lost $11.37 billion to cryptocurrency fraud, up 22% from the previous year. Worldwide, scams cost users up to $17 billion. Nearly 18,600 victims each lost over $100,000, with average losses exceeding $62,000.
How do scammers redirect my funds without breaking blockchain security?
Scammers use browser extensions and scripts that rewrite deposit addresses on legitimate websites. The blockchain and cryptography remain secure, but the address shown on your screen gets replaced before you copy it. You send funds to the real address on your screen, which is actually the attacker's wallet.
