Kaspersky Discovers OkoBot Malware Stealing Crypto Wallet Data and Seed Phrases

iconBitMedia
Share
AI summary iconSummary
Kaspersky researchers uncovered OkoBot, malware designed to steal crypto wallet data and seed phrases. The threat spreads via fake GitHub repositories and employs ClickFix attacks to execute malicious commands. Modules such as SeedHunter and MC Keylogger capture browser cookies, keystrokes, and seed phrases. The attack primarily targets users in Brazil, Vietnam, Canada, Mexico, and Turkey. In 2025, ScamSniffer reported a similar method targeting Phantom Wallet users. Stay informed with the latest cryptocurrency news and inflation data to safeguard your assets.

To deploy OkoBot on victims' devices, attackers use a technique called ClickFix—a social engineering method that tricks users into executing malicious commands. OkoBot is also distributed through fake GitHub repositories disguised as legitimate software tools.

In one such repository, the tool SQL Server Management Studio (SSMS) was offered—but in reality, it was a version of the audio editor Audacity infected with a Trojan, Kaspersky specialists reported. They clarified that OkoBot has been active for over a year, distributing the PowerShell script TookPS.

TookPS is used in the first stage to install and configure the SSH bot that distributes malicious components. The SSH bot collects data on the username, antivirus software, IP address, and operating system version, and disables Windows Defender notifications. Additionally, the bot gathers information about cryptocurrency wallets, browser cookies, and credentials.

Experts identified the modules used by OkoBot in its attacks:

  • ext daemon/extl.exe: This module is injected into Chrome browsers to silently install and conceal the Rilide extension, which targets the collection of credentials, cookies, financial information, and cryptocurrency-related data.

  • SeedHunter: Being integrated into Trezor Suite, Ledger Wallet, and Ledger Live to display a fake screen during seed phrase recovery.

  • MC Keylogger: records keystrokes and clipboard activity, including copied text, images, and file paths. The module can also monitor USB connections and take screenshots every five minutes.

  • OkoSpyware: tracks cryptocurrency wallet passwords and also uses FFmpeg to record video of their windows and capture keystrokes.

If attackers gain access to the seed phrase, they obtain full control over the victim’s crypto assets. In such cases, hackers typically transfer the funds to addresses they control, making it nearly impossible to recover the stolen cryptocurrency.

Kaspersky claims that the majority of OkoBot victims are located in Brazil, Vietnam, Canada, Mexico, and Turkey. The exact amount of stolen funds is not disclosed. Kaspersky researchers observed that access to servers hosting PowerShell scripts for the initial attack stage is blocked for IP addresses from Russia and CIS countries.

Last year, experts from ScamSniffer identified a new tactic used by scammers to steal seed phrases from Phantom Wallet users. Hackers create malicious pop-ups claiming to “update the extension.” After approval, potential victims are prompted to enter their seed phrase.


Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.