OkoBot Malware Uses 20 Modules to Steal Bitcoin Wallet Seed Phrases
Crypto News
Kaspersky has exposed OkoBot, a year-old malware framework built from roughly 20 separate modules engineered to steal cryptocurrency wallet recovery phrases. Our reading of the disclosure shows the operation has already compromised users across at least five countries — Brazil, Vietnam, Canada, Mexico and Turkey — while its operators deliberately blocked IP addresses from Russia and other Commonwealth of Independent States nations. The modular design lets attackers harvest wallet files, browser data and login credentials from a single infected machine. Because seed phrases unlock full control of a wallet, victims face near-total loss: blockchain transfers are irreversible, leaving almost no path to recover stolen funds.
The infection chain begins with social engineering rather than a software flaw. OkoBot is distributed through GitHub repositories disguised as legitimate tools, including a counterfeit build of Microsoft SQL Server Management Studio. Kaspersky documented heavy use of the ClickFix technique, a method that presents fake error messages, verification prompts or repair instructions and tricks victims into pasting malicious commands into their own terminals. Following those steps silently installs the backdoor. The approach sidesteps traditional defenses because the user, not an exploit, executes the payload — a pattern security teams increasingly see aimed at holders of Bitcoin and other altcoins.
At the core of the theft sits SeedHunter, a module that renders a fake recovery interface mimicking hardware wallets such as Ledger and Trezor. When a user types a 12- or 24-word recovery phrase into the fraudulent screen, the data is transmitted straight to the operators, who can then reconstruct the wallet and drain it. The tactic specifically targets the one secret that hardware wallets are designed to keep offline. For anyone securing a self-custody crypto wallet, the lesson is direct: a genuine device never asks you to retype a seed phrase into a desktop window.
Two additional modules widen the surveillance. MC Keylogger records keystrokes and monitors clipboard activity, capturing passwords and copied wallet addresses in real time, while OkoSpyware tracks wallet passwords and even records video of open windows to observe a victim's activity. Together they defeat the copy-paste habits many traders assume are safe, and they can quietly intercept credentials for exchange accounts or an automated AI trading bot running on the same device. The framework's ability to pull several data types from one host means a single careless install can expose an entire portfolio, not merely one wallet or login.
OkoBot did not appear from nowhere. Kaspersky traced it to TookPS, a 2025 campaign that pushed a Trojan downloader through fake software websites, and confirmed multiple attacks tied to the new family since January 2026. What distinguishes this generation is its plumbing: all 20 payloads are orchestrated over a single SSH tunnel, an encrypted channel that transports stolen data from infected computers to attacker-controlled machines while blending into normal network traffic. Researchers warned the framework's modular, reusable structure lowers the barrier for copycats, meaning derivative kits targeting seed phrases could proliferate well beyond the original operators.
The campaign is part of a wider push against the people who build crypto. Separately, blockchain security researchers at SlowMist flagged a scheme in which attackers pose as Web3 recruiters on LinkedIn, then send candidates fake GitHub repositories described as a minimum viable product to test before an interview. Running that code — a routine step in any technical screening — delivers a remote access trojan that steals project keys, cloud credentials and wallet-extension data. A related operation targeted macOS users to hijack Telegram sessions. None of these lures involve a legitimate token airdrop, yet they borrow the same trust-based framing to disarm targets.
Read together, these incidents describe one strategy, not several: attackers have shifted from breaking cryptography to breaking human trust, weaponizing GitHub, LinkedIn and fake wallet screens to reach the seed phrase directly. COINOTAG's own market data underscores why the timing matters — with the Fear & Greed Index at 25 (Extreme Fear), Bitcoin dominance near 69.9% and total crypto market capitalization around $1.85 trillion, jittery holders rushing to secure or move funds are exactly the audience social-engineering kits exploit. Our read is that operational security now protects capital as much as any price level or all-time high; a compromised recovery phrase erases gains no market recovery can restore.
Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.
You may also like
Kenya President’s Website Breached as Hackers Demand 5 BTC Ransom

Injective Files SEC Transfer Agent Registration for Onchain RWA
US & UK Align On Rules; Ripple Deepens Footprint
Tether and USDC Confront SWIFT’s 17-Bank Tokenized-Deposit Ledger
