Kaspersky Discloses OkoBot Malware Stealing Crypto Wallet Mnemonics

icon币界网
Share
AI summary iconSummary
Kaspersky has uncovered OkoBot, a malware targeting Proof of Work (PoW) and blockchain users by stealing crypto wallet mnemonics and login credentials. Active for over a year, the malware uses social engineering and fake installers to infiltrate systems. Modules such as SeedHunter mimic wallet recovery pages, while OkoSpyware captures passwords. State channels and other Layer 2 solutions remain unaffected, but victims in Brazil, Vietnam, and other countries have been compromised. The malware spreads via GitHub and disguises itself as Microsoft software. Kaspersky warns that once mnemonics are stolen, funds are often irretrievably lost.
CoinDesk reports:

Kaspersky has disclosed that a malware named OkoBot has been actively operating for over a year, primarily targeting the theft of cryptocurrency wallet seed phrases and login credentials. Researchers say this attack chain consists of approximately 20 modules, with victims identified in Brazil, Vietnam, Canada, Mexico, and Turkey.

Malware distributed via GitHub

Researchers say attackers distributed malicious programs disguised as legitimate software, including fake installers impersonating Microsoft SQL Server Management Studio. One distribution channel is GitHub repositories.

OkoBot also incorporates ClickFix social engineering tactics. Victims see forged error, verification, or repair prompts and are guided to execute commands on their devices. Once executed, the malware installs itself without the user’s knowledge.

Recovery page targets mnemonic phrase

Among the identified modules, SeedHunter displays a forged wallet recovery interface, impersonating pages related to hardware wallets such as Ledger and Trezor. If users enter their recovery phrase on the page, the information is sent directly to the attackers.

Another module, MC Keylogger, records keyboard input and monitors clipboard content, enabling the interception of passwords, copied wallet addresses, and other credentials. The module named OkoSpyware can also track wallet passwords and record videos of open windows, further expanding the scope of information leakage.

Kaspersky notes that once a mnemonic phrase is compromised, attackers can take control of the associated wallet and transfer its assets. Since blockchain transactions are typically irreversible, stolen funds are often difficult to recover.

Developers and executives are also targets.

The report also noted that similar ClickFix attacks have recently been used against individuals in the crypto industry. According to CertiK’s research, Lazarus sent forged online meeting invitations to executives at fintech and crypto companies, tricking victims into pasting so-called repair or verification commands in the macOS terminal, thereby installing data-stealing malware.

Additionally, developer tools have become an entry point for attacks. Previously disclosed malware, TrapDoor, was distributed through compromised software packages, targeting developers in cryptocurrency, DeFi, AI, and security infrastructure, aiming to steal wallet data, API keys, cloud credentials, and SSH access rights.

These cases show that attackers are no longer relying solely on single phishing pages; instead, they are combining spoofed software, social engineering instructions, and multi-module data-stealing tools to expand their infiltration of wallet assets and enterprise systems.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.