BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
BTC/USD $68,420 +2.8%
ETH/USD $3,540 +1.4%
SOL/USD $142.80 -0.6%
BNB/USD $605.20 +0.9%
XRP/USD $0.62 -1.2%
DOGE/USD $0.18 +5.4%
Policy

Kaspersky Identifies Malware Framework Targeting Crypto Investors

Kaspersky has identified a malware framework targeting crypto investors, naming the threat OkoBot and warning that it bundles more than 20 payloads to steal wallets, credentials, and account

AnonymousCryptoCompass newsroom
July 18, 2026
4 min read
NEWS
Kaspersky Identifies Malware Framework Targeting Crypto Investors
CryptoCompass editorial visual for policy coverage.

Kaspersky has identified a malware framework targeting crypto investors, naming the threat OkoBot and warning that it bundles more than 20 payloads to steal wallets, credentials, and account access from users across dozens of countries.

The security firm detailed the framework in a Securelist report published on July 15, 2026, describing OkoBot as a modular toolkit that was still active at the time of writing and packs more than 20 malicious payloads and implants. For related coverage, see U.S. regulator seeks to withdraw $5 million penalty against crypto firm tied to Trump donors.

Key Takeaways

  • Kaspersky identified OkoBot, a malware framework carrying more than 20 payloads aimed at cryptocurrency users.
  • The campaign hit hundreds of victims across more than 25 countries, spreading through ClickFix lures and trojanized GitHub downloads.
  • Its OkoSpyware module watches over 100 executable names, including wallet and password-manager apps, then records screen video and keystrokes.

What Kaspersky Found in the Malware Framework

OkoBot is not a single virus but a framework that chains together specialized modules for reconnaissance, surveillance, and theft. Kaspersky said the toolkit remained operational as its researchers published their findings. For related coverage, see Nikkei: SBI and Rakuten Develop In-House Crypto Investment Trusts.

The company reported detecting hundreds of victims in more than 25 countries, with the largest share of attacked users in Brazil, Vietnam, Canada, Mexico, and Turkiye. That geographic spread points to a broad, opportunistic campaign rather than a narrowly regional one. For related coverage, see Reuters: Iran's Largest Crypto Exchange Linked to Elite Family.

Countries affected 25+ Kaspersky reported OkoBot victims in more than 25 countries, indicating broad geographic reach for the campaign.

Kaspersky's security researcher Dmitry Galov said the OkoBot campaign had been active for more than a year and remained ongoing as of July 2026, according to the company's press release.

The OkoBot campaign has been active for more than a year and remained ongoing as of July 2026. — Dmitry Galov, Kaspersky, press release

How the Threat Appears to Target Crypto Investors

Initial infection commonly begins through ClickFix social-engineering attacks or GitHub-hosted malware posing as legitimate software, including a fake SQL Server Management Studio installer, Kaspersky said in its press release. Those lures put developers and crypto-curious users directly in the framework's path.

BleepingComputer independently confirmed the delivery vectors on July 16, 2026, reporting that OkoBot reaches victims through ClickFix attacks or malicious GitHub repositories and summarizing SeedHunter, MC Keylogger, and OkoSpyware as key modules. The module names signal a clear focus on seed phrases and login credentials.

The framework's surveillance component, OkoSpyware, compiles a watchlist of over 100 executable names, including wallet and password-manager apps, then uses FFmpeg to record window video while logging keystrokes. That combination is designed to capture exactly the moment a user unlocks a wallet or reveals a recovery phrase.

Monitored apps 100+ Securelist said OkoSpyware compiled a watchlist of over 100 executable names to focus surveillance on wallet and credential-heavy applications.

Targeting apps and developer tools rather than a single exchange lets the operators harvest access wherever a victim stores value. That approach mirrors how manipulation campaigns lean on trusted personalities and platforms, a dynamic explored in coverage of the role of KOLs in shaping crypto behavior.

Why the Discovery Matters for the Crypto Market

Malware aimed at investors strikes at the trust retail participants place in wallets and exchanges, the very tools driving mainstream adoption. A framework that quietly records screens and keystrokes undermines the assumption that self-custody alone keeps funds safe.

The warning lands during a jittery market backdrop, with the Fear & Greed Index reading 25, or "Extreme Fear," a sentiment level that leaves investors especially sensitive to security scares.

For platforms and wallet providers, OkoBot is another reminder that endpoint compromise can bypass exchange-side defenses entirely. The same trust question surfaces in reporting on how firms structure regulated crypto investment products and how venues such as arbitrage-focused trading platforms onboard retail users.

OkoBot fits a recurring pattern of crypto-focused threats that follow the money as adoption grows. Kaspersky's disclosure gives users and defenders concrete indicators, from the modules involved to the GitHub and ClickFix delivery routes, to spot the campaign before funds move.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Read original article on coinwy.comRead also :