Close Menu
Chain Tech Daily

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Cathie Wood buys SpaceX dip after stock sinks to post-IPO low

    July 18, 2026

    Circle and Coinbase — a story of two public offerings

    July 18, 2026

    eth2 quick update no. 2

    July 18, 2026
    Facebook X (Twitter) Instagram
    Chain Tech Daily
    • Altcoins
      • Litecoin
      • Coinbase
      • Crypto
      • Blockchain
    • Bitcoin
    • Ethereum
    • Lithosphere News Releases
    Facebook X (Twitter) Instagram YouTube
    Chain Tech Daily
    Home » Kaspersky exposes OkoBot’s 20-module crypto wallet attack
    Crypto

    Kaspersky exposes OkoBot’s 20-module crypto wallet attack

    James WilsonBy James WilsonJuly 18, 20263 Mins Read
    Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Tumblr Email
    Share
    Facebook Twitter LinkedIn Pinterest Email



    Kaspersky has exposed OkoBot, a year-old malware operation that uses roughly 20 modules to steal crypto wallet recovery phrases and has affected users across at least five countries.

    Summary

    • Kaspersky uncovered OkoBot using roughly 20 modules to steal crypto wallet credentials.
    • The malware has affected users in Brazil, Vietnam, Canada, Mexico, and Turkey.
    • OkoBot uses fake recovery screens, keylogging, spyware, and ClickFix commands to target victims.

    Kaspersky researchers discovered that the malware has remained active for more than a year, according to a report published by Bits.media. Most identified victims were located in Brazil, Vietnam, Canada, Mexico, and Turkey, while the operators blocked IP addresses from Russia and other Commonwealth of Independent States countries.

    Distributed through GitHub repositories, OkoBot is disguised as legitimate software, including Microsoft SQL Server Management Studio. Kaspersky found that the attackers rely on the ClickFix social engineering method, which tricks victims into running malicious commands on their own devices.

    The technique often presents users with fake error messages, verification steps, or repair instructions. Following those directions causes victims to execute code that installs the malware without realizing the command is malicious.

    OkoBot targets seed phrases and wallet credentials

    Among OkoBot’s modules, SeedHunter displays a fake recovery interface linked to hardware wallets such as Ledger and Trezor, according to Kaspersky. When users enter their recovery phrases into the fraudulent screen, the module sends the information to the malware operators.

    A second module called MC Keylogger records keyboard input and monitors clipboard activity, allowing it to capture passwords, copied wallet addresses, and other credentials. OkoSpyware can track wallet passwords and record videos of open windows, giving attackers another way to observe activity on an infected device.

    Once a recovery phrase is exposed, the attackers can use it to take control of the associated wallet and move its assets. Kaspersky warned that victims have little chance of recovering stolen cryptocurrency because blockchain transfers are generally irreversible.

    The malware’s modular design also lets its operators collect different types of information from a single infected system. According to the security company’s findings, OkoBot can target both wallet access data and credentials connected to other services used on the device.

    ClickFix attacks have also targeted crypto developers

    OkoBot is the latest malware campaign found using ClickFix against the cryptocurrency sector. As crypto.news reported in April, North Korea’s state-backed Lazarus Group used the same technique in a macOS campaign known as “Mach-O Man.”

    Citing research from CertiK, the report found that Lazarus sent fake online meeting invitations to fintech and crypto executives. Victims were instructed to paste supposed repair or verification commands into the macOS Terminal, which installed malware capable of stealing cryptocurrency and corporate information.

    CertiK also found that the Mach-O Man toolkit deleted itself after running, making forensic analysis more difficult. The campaign combined social engineering with terminal-level commands instead of relying only on malicious file downloads.

    Developer tools have provided another route into crypto systems. In May, crypto.news reported that TrapDoor malware was distributed through poisoned software packages targeting developers in cryptocurrency, decentralized finance, artificial intelligence, and security infrastructure.

    According to that report, TrapDoor sought wallet data, API keys, cloud credentials, and SSH access tied to services and ecosystems including Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos. Researchers also found hidden prompts designed to manipulate Claude and Cursor into running fake security scans that exposed secrets and transmitted them to the attackers.



    Source link

    Share. Facebook Twitter Pinterest LinkedIn WhatsApp Reddit Tumblr Email
    James Wilson

    Related Posts

    Crypto July 18, 2026

    Cathie Wood buys SpaceX dip after stock sinks to post-IPO low

    Crypto July 18, 2026

    Ethereum braces for CLARITY vote as bulls defend crucial support

    Crypto July 18, 2026

    Michael Saylor says corporations hold the key to Bitcoin’s global rise

    Crypto July 18, 2026

    TrustedVolumes attacker returns $2M, keeps another $2M as bounty

    Crypto July 18, 2026

    OKX Europe opens USDT escape route as MiCA restrictions tighten

    Crypto July 18, 2026

    FTX pushes ahead with $900M payout as SBF pardon hopes fade

    Leave A Reply Cancel Reply

    Don't Miss
    Crypto July 18, 2026

    Cathie Wood buys SpaceX dip after stock sinks to post-IPO low

    Cathie Wood’s ARK Invest has bought $18.3 million of SpaceX shares after the stock fell…

    Circle and Coinbase — a story of two public offerings

    July 18, 2026

    eth2 quick update no. 2

    July 18, 2026

    Kaspersky exposes OkoBot’s 20-module crypto wallet attack

    July 18, 2026
    Stay In Touch
    • Facebook
    • Twitter
    • YouTube
    • LinkedIn
    Our Picks

    Cathie Wood buys SpaceX dip after stock sinks to post-IPO low

    July 18, 2026

    Circle and Coinbase — a story of two public offerings

    July 18, 2026

    eth2 quick update no. 2

    July 18, 2026

    Kaspersky exposes OkoBot’s 20-module crypto wallet attack

    July 18, 2026

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    Don't Miss
    Crypto July 18, 2026

    Cathie Wood buys SpaceX dip after stock sinks to post-IPO low

    Cathie Wood’s ARK Invest has bought $18.3 million of SpaceX shares after the stock fell…

    Circle and Coinbase — a story of two public offerings

    July 18, 2026

    eth2 quick update no. 2

    July 18, 2026

    Kaspersky exposes OkoBot’s 20-module crypto wallet attack

    July 18, 2026

    Subscribe to Updates

    Get the latest creative news from SmartMag about art & design.

    Stay In Touch
    • Facebook
    • Twitter
    • Pinterest
    • Instagram
    About Us
    About Us

    ChainTechDaily.xyz delivers the latest updates and trends in the world of cryptocurrency. Stay informed with daily news, insights, and analysis tailored for crypto enthusiasts.

    Our Picks
    Lithosphere News Releases
    X (Twitter) Instagram YouTube LinkedIn
    © 2026 Copyright

    Type above and press Enter to search. Press Esc to cancel.