Detect crypto scams that replace your wallet address
Microsoft warned on June 17, 2026 of CryptoBandits, Windows malware that monitors the clipboard and swaps copied crypto addresses. Scammers also use extensions and scripts to rewrite deposit addresses.
Microsoft’s threat intelligence team published an analysis on June 17, 2026 of a Windows malware family called CryptoBandits that monitors the clipboard and substitutes copied cryptocurrency addresses with attacker-controlled ones. The company described the malware as able to arrive on USB drives disguised as ordinary documents and to check the clipboard roughly twice a second. When it finds a wallet address, the malware replaces it with an address owned by the attacker. The same code can capture seed phrases and private keys from the clipboard and record the screen.
Microsoft noted that Defender flags the behavior as clipboard- and screen-stealing rather than a flaw in blockchain cryptography, since the malware alters what the user’s device shows at the moment of transfer rather than breaking cryptographic protections.
Security researchers and the authors of a consumer-safety guide by SimpleSwap and Cypherock described related scams that use browser extensions or short scripts to rewrite deposit addresses on otherwise legitimate sites. The scheme typically starts with an offer of extra value or a “secret” discount that asks the user to install an extension or run a code snippet. Once the code runs, it can swap the deposit address displayed on the genuine site so funds are sent to the attacker’s wallet. On-chain confirmations make those transactions irreversible.
Law enforcement and industry data show fraud targeting individuals grew in recent years. The FBI reported Americans lost $11.37 billion to cryptocurrency fraud in 2025, a 22% increase from 2024, with nearly 18,600 victims reporting losses above $100,000 and an average reported loss above $62,000. Chainalysis estimated global user losses from scams and fraud at up to $17 billion in 2025. Large platform exploits also accounted for significant value: PeckShield put 2025 exploit losses at roughly $2.67 billion.
Scammers use several recurring methods to trick users into approving transfers. Investment and romance scams build trust over days or weeks and direct victims to fake trading platforms that show fabricated gains. Impersonators create fake support accounts and compensation forms after real outages or breaches. Fake airdrops ask users to connect wallets and sign transactions that grant attackers permission to move assets later. Address poisoning involves sending a tiny transaction from an address that looks nearly identical to one the victim uses, increasing the chance the victim will copy the impostor address by mistake.
The SimpleSwap and Cypherock guide recommends specific habits to reduce risk. Stefan Lauer, head of infrastructure at SimpleSwap, advised: “Verify every deposit address inside the official app, and treat any hidden shortcut to extra value as a warning rather than a win.” The guide urges users not to install browser extensions or run scripts from unknown sources, to keep seed phrases and private keys off screens and out of chats, and to ignore unsolicited support messages that ask for wallet access.
Akhil Jonnavithula, director of business development at Cypherock, noted: “A hardware wallet keeps your private keys offline and confirms the real destination address and amount on its own screen, so a compromised browser can’t quietly swap the address.” The guide recommends pausing before approving transactions and verifying addresses inside official apps or on separate hardware devices as the final check against attacks that change what appears on the computer screen.








