A Windows crypto-clipper campaign is notable less for the theft itself than for the way it routes control through a local SOCKS5 proxy and Tor, reducing the value of simple IP-based hunting.
Microsoft says a Windows-based cryptocurrency clipper has been active since February 2026, and its design leans on built-in scripting, shortcut abuse, and Tor-hosted command infrastructure.