Kaspersky Discloses OkoBot Malware Targeting Crypto Investors
Kaspersky has disclosed OkoBot, a modular malware framework built to drain cryptocurrency wallets, steal seed phrases, and harvest credentials, warning that the campaign had already reached hundreds of victims across more than 25 countries and remained active as of mid-July 2026.

What Kaspersky disclosed about OkoBot
Kaspersky said on July 15, 2026 that OkoBot had already targeted hundreds of victims across over 25 countries and was still active at the time of publication, according to the security vendor. For related coverage, see North Korean Hackers Steal Millions Crypto By Faking Japanese Venture Capitalists And Banks.
The term “framework” is central to why this matters. OkoBot is not a single wallet-phishing script but a system that ties together multiple components, meaning defenders face a full endpoint-compromise toolkit with wallet theft as one module among many. For related coverage, see Hyperliquid Co-Founder Says Crypto Struggles to Attract Top Talent.
Kaspersky described OkoBot as a modular framework carrying more than 20 malicious payloads and implants used to steal wallets, seed phrases, credentials, and other data. That breadth separates it from opportunistic stealers that only scrape browser data. For related coverage, see Bank of America Appoints Head of Digital Assets and AI to Advance Crypto Strategy.
Kaspersky said currently available information does not allow attribution to any known crimeware actor with high confidence. According to unconfirmed reports referenced in the disclosure, the campaign may be linked to Russian-speaking threat actors, but that link is not established.
How OkoBot appears to target cryptocurrency investors
The framework spreads through ClickFix lures and malicious GitHub repositories, including one masquerading as SQL Server Management Studio while dropping a trojanized Audacity build, BleepingComputer reported. Those infection touchpoints put developers and power users squarely in scope.
Likely targets are holders who interact with hardware-wallet desktop software. The Hacker News reported that Kaspersky traced OkoBot activity on Windows back to April 2025 and that a component called SeedHunter injects fake recovery pages into Ledger and Trezor desktop software, per its coverage of the campaign.
SeedHunter specifically injects phishing pages into Trezor Suite, Ledger Wallet, and Ledger Live to trick users into re-entering their wallet recovery phrases. The mechanics of that wallet-phishing step are detailed in a closer look at how OkoBot targets mnemonic phrases.
What is confirmed by the disclosure is the targeting intent and the toolset. What remains framed as risk context is how any individual investor gets infected, which depends on their own download and browsing behavior.
Why OkoBot is a serious threat for the crypto sector
Crypto transfers are irreversible once broadcast on-chain, so a stolen seed phrase or a single tricked signature can move funds beyond recovery with no chargeback path. That is the core reason investor-targeted malware carries outsized consequences here.
OkoBot compounds that by reaching beyond wallets. BleepingComputer said an OkoSpyware module monitors 100 programs, while an MC Keylogger component can take screenshots every five minutes while capturing keystrokes and clipboard activity, giving operators exchange logins and two-factor prompts as well as wallet data.
Persistence is the differentiator that crypto-native coverage has largely skipped. Security outlets describe reverse-SSH access, a patched termsrv.dll, and an “Apple Sync” scheduled task used to reopen RDP, meaning an attacker can return to a cleaned-looking machine. The pattern of professionalized crypto theft echoes earlier cases where state-linked hackers stole millions by impersonating trusted parties.
How crypto investors can reduce exposure to OkoBot-style attacks
Device and browser hygiene comes first. Because OkoSpyware monitors Chromium-based browsers and OkoBot arrives through trojanized GitHub downloads, avoid running unsigned tools from unofficial repositories and keep endpoint protection current.
Wallet compartmentalization limits blast radius. Keeping minimal balances in hot wallets and reserving hardware wallets for larger holdings reduces what a single compromised session can drain, even before every technical indicator is public.
Verification habits close the phishing gap that SeedHunter exploits. A legitimate Ledger or Trezor app never asks a user to type a recovery phrase into a screen, so any prompt to re-enter a seed should be treated as an attack. Social-engineering lures spike around major events, as seen when crypto scams increased around the World Cup.
The backdrop is a cautious market. Bitcoin traded near $64,066 with the Fear and Greed Index at 25, or “Extreme Fear,” a sentiment climate in which panic-driven security mistakes are more likely.
FAQ about OkoBot and malware risks for crypto investors
What is OkoBot? It is a modular malware framework disclosed by Kaspersky, built from more than 20 payloads and implants that steal wallets, seed phrases, and credentials while surveilling infected machines.
Why are crypto investors being targeted? The framework carries dedicated modules such as SeedHunter that inject fake recovery pages into Ledger and Trezor software to capture wallet recovery phrases, making holders the primary payoff.
Can hardware wallets reduce risk? They help by keeping keys offline, but SeedHunter specifically targets hardware-wallet desktop apps with phishing overlays, so users must never enter a seed phrase into any on-screen prompt.
What should users do if they suspect infection? Move funds from potentially exposed hot wallets using a clean device, rotate exchange credentials and two-factor settings, and treat the machine as compromised given OkoBot’s documented persistence mechanisms.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.








