Kaspersky has exposed OkoBot, a modular malware framework built from more than 20 malicious payloads that targets cryptocurrency wallets, tricking users into surrendering the seed phrases tha
Kaspersky has exposed OkoBot, a modular malware framework built from more than 20 malicious payloads that targets cryptocurrency wallets, tricking users into surrendering the seed phrases that control their funds.
What Kaspersky Says It Found About OkoBot
Kaspersky researchers published their technical analysis of the OkoBot framework on July 15, 2026, warning that the threat was still active at the time of writing and that the campaign had been running for over a year, according to its Securelist report. For related coverage, see Citadel Backs Two Crypto Exchanges With $600 Million Investment.
The framework is not a single virus but a toolkit of more than 20 malicious payloads and implants assembled to steal data and drain crypto wallets. For related coverage, see Citadel Securities Invests $400M in Crypto.com at $20B Valuation.
OkoBot payloads 20+ Kaspersky said the framework includes more than 20 malicious payloads and implants. Source: Securelist
One module, named SeedHunter, injects itself into Trezor Suite, Ledger Wallet, and Ledger Live, then displays phishing seed-recovery pages designed to capture the recovery phrases of hardware wallet owners. For related coverage, see ESMA Adds 14 Crypto Firms, Including Ripple Payments Europe, to MiCA Register.
Dmitry Galov of Kaspersky described the scale of the operation directly.
The OkoBot campaign has been active for more than a year and remained ongoing as of July 2026. — Dmitry Galov, Kaspersky
Why the 20-Module Design Stands Out
A modular architecture lets attackers mix and match functions per victim, deploying only the implants they need and swapping components as defenders catch on. That flexibility makes such frameworks harder to detect and contain than a single-purpose stealer.
OkoSpyware, another component in the chain, monitors 100 programs including crypto wallets and password managers, records video with FFmpeg, and captures keystrokes, BleepingComputer reported.
The framework reaches victims through ClickFix social-engineering attacks and fake GitHub repositories, including a trojanized Audacity package disguised as SQL Server Management Studio. Kaspersky said it detected hundreds of victims across more than 25 countries.
Countries affected 25+ Kaspersky said it detected hundreds of victims in more than 25 countries. Source: Securelist
Brazil, Vietnam, Canada, Mexico, and Turkiye were the most affected markets, showing the campaign was not confined to a single region. According to unconfirmed reports, technical clues such as geoblocking and Russian-language code comments point to a Russian-speaking operator, though Kaspersky said it cannot attribute the campaign with high confidence.
What the OkoBot Wallet Threat Means for Crypto Users
The core danger is the seed phrase. Because SeedHunter renders its phishing prompts inside legitimate wallet software, the usual advice to check the browser address bar offers little protection; a recovery phrase entered into any prompt, even one that appears within a trusted app, can hand an attacker full control of the wallet.
The incident lands during a nervous stretch for the market. The Fear & Greed Index reads 25, or "Extreme Fear," while Bitcoin trades near $64,123 after a 1.9% daily gain.
Self-custody guidance from wallet makers is consistent: recovery phrases should never be typed into online forms or software prompts, a point Trezor reiterated in its own phishing security alert.
The threat is broad because it targets wallet users across assets rather than one token, a reminder that operational security matters even as institutional interest keeps building through vehicles like the T. Rowe Price TKNZ active crypto ETF and asset managers testing demand for crypto basket ETFs. New capital entering the sector expands the pool of holders that campaigns like OkoBot aim to exploit.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.
Read original article on coinlineup.com