Crypto

Kaspersky uncovers OkoBot framework targeting crypto wallet users

Published

on

Global cybersecurity firm Kaspersky has identified a malware framework called OkoBot that targets crypto users by stealing wallet seed phrases, credentials and other sensitive data through a collection of more than 20 malicious components.

The campaign, first identified in January 2026, has compromised hundreds of victims across more than 25 countries, with Brazil, Vietnam, Canada, Mexico and Türkiye among the most affected.

During the investigation, researchers found that attackers distribute the malware through ClickFix social engineering schemes and fake software downloads hosted on GitHub, allowing the framework to infect devices and deploy additional malware, including the Rilide browser stealer.

The framework consists of more than 20 payloads capable of stealing crypto wallets, harvesting credentials, recording video, downloading malicious browser extensions and executing remote commands.

Among OkoBot’s components are TookPS, which exfiltrates wallet seed phrases, OkoSpyware, which monitors Chromium-based browsers and records user activity, and SeedHunter, which injects malicious code into Trezor and Ledger wallet software to display phishing pages requesting recovery phrases.

Advertisement

Kaspersky said the campaign is still active and while its operators have not been identified, its techniques and code artifacts suggest links to Russian-speaking cybercriminals.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Trending

Exit mobile version