OkoBot Malware Uses 20 Modules to Steal Bitcoin Wallet Seed Phrases
BTC/USDT
$5,178,444,149.53
$64,669.50 / $63,884.35
Change: $785.15 (1.23%)
+0.0018%
Longs pay
AI SummaryAI
- Kaspersky exposed OkoBot, a malware framework of roughly 20 modules stealing crypto wallet recovery phrases across Brazil, Vietnam, Canada, Mexico and Turkey.
- The SeedHunter module displays fake Ledger and Trezor recovery screens to capture 12- or 24-word seed phrases.
- OkoBot evolved from the 2025 TookPS campaign and routes all 20 payloads through a single SSH tunnel, with attacks confirmed since January 2026.
- SlowMist flagged fake LinkedIn recruiter lures that send Web3 developers malicious GitHub repositories deploying a remote access trojan.
This summary was AI-generated, AI-reviewed and published under COINOTAG editorial oversight.
Crypto News
Kaspersky has exposed OkoBot, a year-old malware framework built from roughly 20 separate modules engineered to steal cryptocurrency wallet recovery phrases. Our reading of the disclosure shows the operation has already compromised users across at least five countries — Brazil, Vietnam, Canada, Mexico and Turkey — while its operators deliberately blocked IP addresses from Russia and other Commonwealth of Independent States nations. The modular design lets attackers harvest wallet files, browser data and login credentials from a single infected machine. Because seed phrases unlock full control of a wallet, victims face near-total loss: blockchain transfers are irreversible, leaving almost no path to recover stolen funds.
The infection chain begins with social engineering rather than a software flaw. OkoBot is distributed through GitHub repositories disguised as legitimate tools, including a counterfeit build of Microsoft SQL Server Management Studio. Kaspersky documented heavy use of the ClickFix technique, a method that presents fake error messages, verification prompts or repair instructions and tricks victims into pasting malicious commands into their own terminals. Following those steps silently installs the backdoor. The approach sidesteps traditional defenses because the user, not an exploit, executes the payload — a pattern security teams increasingly see aimed at holders of Bitcoin and other altcoins.
At the core of the theft sits SeedHunter, a module that renders a fake recovery interface mimicking hardware wallets such as Ledger and Trezor. When a user types a 12- or 24-word recovery phrase into the fraudulent screen, the data is transmitted straight to the operators, who can then reconstruct the wallet and drain it. The tactic specifically targets the one secret that hardware wallets are designed to keep offline. For anyone securing a self-custody crypto wallet, the lesson is direct: a genuine device never asks you to retype a seed phrase into a desktop window.
Two additional modules widen the surveillance. MC Keylogger records keystrokes and monitors clipboard activity, capturing passwords and copied wallet addresses in real time, while OkoSpyware tracks wallet passwords and even records video of open windows to observe a victim's activity. Together they defeat the copy-paste habits many traders assume are safe, and they can quietly intercept credentials for exchange accounts or an automated AI trading bot running on the same device. The framework's ability to pull several data types from one host means a single careless install can expose an entire portfolio, not merely one wallet or login.
OkoBot did not appear from nowhere. Kaspersky traced it to TookPS, a 2025 campaign that pushed a Trojan downloader through fake software websites, and confirmed multiple attacks tied to the new family since January 2026. What distinguishes this generation is its plumbing: all 20 payloads are orchestrated over a single SSH tunnel, an encrypted channel that transports stolen data from infected computers to attacker-controlled machines while blending into normal network traffic. Researchers warned the framework's modular, reusable structure lowers the barrier for copycats, meaning derivative kits targeting seed phrases could proliferate well beyond the original operators.
The campaign is part of a wider push against the people who build crypto. Separately, blockchain security researchers at SlowMist flagged a scheme in which attackers pose as Web3 recruiters on LinkedIn, then send candidates fake GitHub repositories described as a minimum viable product to test before an interview. Running that code — a routine step in any technical screening — delivers a remote access trojan that steals project keys, cloud credentials and wallet-extension data. A related operation targeted macOS users to hijack Telegram sessions. None of these lures involve a legitimate token airdrop, yet they borrow the same trust-based framing to disarm targets.
Read together, these incidents describe one strategy, not several: attackers have shifted from breaking cryptography to breaking human trust, weaponizing GitHub, LinkedIn and fake wallet screens to reach the seed phrase directly. COINOTAG's own market data underscores why the timing matters — with the Fear & Greed Index at 25 (Extreme Fear), Bitcoin dominance near 69.9% and total crypto market capitalization around $1.85 trillion, jittery holders rushing to secure or move funds are exactly the audience social-engineering kits exploit. Our read is that operational security now protects capital as much as any price level or all-time high; a compromised recovery phrase erases gains no market recovery can restore.
COINOTAG does not provide financial advisory services. This content is for informational purposes only and should not be considered investment advice. Cryptocurrency investments involve high risk.
Add COINOTAG as a Preferred Source
Add COINOTAG to your preferred sources in Google News and Search to see our coverage first.
Add on GoogleRelated Tags
AI-generated, AI-reviewed, under COINOTAG editorial oversight.
