Kaspersky unmasks OkoBot: a 20-module operation draining crypto wallets via seed phrase theft
Cybersecurity researchers have uncovered a sprawling malware operation designed to quietly strip cryptocurrency users of control over their wallets by stealing recovery phrases and access credentials. The campaign, dubbed OkoBot, has been active for more than a year and is built around roughly 20 separate modules, each responsible for a specific stage of the attack.
According to Kaspersky’s analysis, OkoBot has already impacted victims in at least five countries. Most confirmed infections have been traced to Brazil, Vietnam, Canada, Mexico, and Turkey. In a notable twist, the operators appear to deliberately exclude users in Russia and other Commonwealth of Independent States by blocking IP addresses from those regions, suggesting a degree of geographic targeting and possibly an attempt to avoid local law enforcement.
OkoBot spreads primarily through GitHub repositories, where it masquerades as legitimate software. Among the decoys used are packages imitating widely deployed tools such as Microsoft SQL Server Management Studio. Unsuspecting users download what they believe to be trusted utilities or developer tools, only to install a multi-module malware framework instead.
The operation leans heavily on a social engineering technique known as ClickFix. Rather than relying solely on traditional malicious file downloads, the attackers trick victims into executing harmful commands on their own machines. This is typically done by presenting fake error messages, bogus verification prompts, or phony “repair” instructions. Victims are encouraged to copy and paste specific commands into a terminal or console, believing they are fixing a problem. In reality, these commands silently install OkoBot.
Once embedded, the malware’s modular architecture allows it to target different types of data on the compromised device. One of the most dangerous components is a module called SeedHunter. This tool displays a counterfeit recovery interface that mimics the look and feel of hardware wallet tools linked to popular brands such as Ledger and Trezor. When users are lured into entering their seed phrases into this fake interface, the data is immediately transmitted to the attackers’ servers.
Another critical component, MC Keylogger, monitors everything typed on the keyboard and tracks clipboard contents. This allows the malware to capture passwords, authentication codes, copied wallet addresses, and other sensitive items that users copy and paste during transactions or logins. By watching the clipboard, the attackers can also potentially swap legitimate wallet addresses with their own during transfers.
A further module, OkoSpyware, extends the surveillance capabilities even more. It can monitor wallet passwords, record videos or screenshots of open windows, and observe what is happening on the infected device in near real time. This combination of keystroke logging, clipboard monitoring, and on-screen recording gives attackers multiple pathways to harvest credentials and map out the victim’s activity patterns.
The end goal is straightforward: once a recovery phrase or full set of login credentials is compromised, the attacker can assume complete control over the associated crypto wallet. Because blockchain transactions are typically irreversible and pseudonymous, there is almost no effective recourse for victims. Kaspersky warns that the likelihood of recovering stolen funds is extremely low once assets have been moved to attacker-controlled addresses and possibly laundered through chains of intermediaries.
OkoBot’s modular design is not just about stealing wallet access. The malware is also capable of collecting other types of confidential information stored or used on the same system. According to Kaspersky’s findings, the toolkit can harvest credentials for non-crypto services, accounts, and platforms, expanding the scope from personal finances to a broader compromise of the user’s digital identity and work environment.
This campaign is part of a wider pattern: sophisticated threat actors are increasingly pairing social engineering with “living off the land” techniques that push victims to execute commands themselves. Another prominent example was documented in April, when researchers reported a macOS-focused campaign known as “Mach-O Man,” linked to North Korea’s state-backed Lazarus Group. In that operation, executives in the fintech and cryptocurrency sectors received fake online meeting invitations. During those meetings, they were instructed to paste supposed diagnostic or verification commands into the macOS Terminal. Those commands, in fact, installed malware capable of stealing both cryptocurrencies and sensitive corporate information.
Researchers noted that the Mach-O Man toolkit went one step further by deleting itself after execution, a tactic that complicates forensic analysis and incident response. Rather than distributing obviously malicious installers, the attackers combined persuasive human interaction with terminal-level commands, dramatically reducing the traces left on the system and making traditional antivirus detection less effective.
Developer ecosystems have emerged as another high-value entry point. In a separate campaign reported in May, malware dubbed TrapDoor was embedded into tainted software packages targeting developers in cryptocurrency, decentralized finance, artificial intelligence, and security infrastructure. Once integrated into development environments, TrapDoor sought out wallet data, API keys, cloud platform credentials, and SSH access information tied to a wide range of services and ecosystems, including major exchanges, browser wallets, and blockchain networks such as Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos.
Researchers also discovered that TrapDoor’s operators experimented with manipulating AI-assisted coding and security tools. Hidden prompts were embedded inside the poisoned packages to coax automated assistants into launching fake “security scans.” Those scans were engineered to expose secrets and send them directly to the attackers, demonstrating how threat actors are starting to exploit the growing reliance on AI-based development companions.
Taken together, OkoBot, Mach-O Man, and TrapDoor illustrate how quickly the threat landscape around cryptocurrencies is evolving. Attackers are no longer focused only on simple phishing sites or obvious malware downloads. They are embedding themselves into developer workflows, abusing legitimate platforms, and weaponizing routine maintenance tasks and error messages. The ClickFix technique is particularly insidious because it leverages trust in system messages and the user’s own actions, turning the victim into an unwitting participant in the attack.
For everyday crypto holders, the OkoBot campaign underscores a few critical lessons. First, seed phrases and recovery phrases should never be entered into any interface that you did not obtain directly from the official wallet provider or hardware manufacturer. Hardware wallets such as Ledger and Trezor never ask users to input their seed phrase into arbitrary third-party software or through pop-up recovery tools. Any request to “verify” or “restore” a wallet using a seed phrase outside of the official application or device should be treated as a red flag.
Second, users should be extremely cautious about copying and pasting commands from tutorials, pop-up messages, or error dialogs into a terminal or command line interface. Whether on Windows, macOS, or Linux, a single pasted command can install persistent malware with full user privileges. If an error message or support guide instructs you to run an unfamiliar command, it is safer to validate it through official documentation or a trusted security professional before proceeding.
Third, software and tools-especially those that manage databases, developer environments, or crypto-related workflows-should be downloaded only from verified, official distribution channels. Repositories and code hosting platforms can be abused by attackers to host trojanized versions of popular software. Even if the project name and description look familiar, malicious modifications may be hidden inside the package.
For developers and technical users, the new wave of attacks also highlights the importance of securing their own toolchains. That includes verifying package integrity, using checksums or signed releases where available, and isolating environments used to handle secrets like private keys and API tokens. Treating development machines that manage production keys as high-security assets-segmented from general browsing and experimentation-can significantly reduce the risk that a single poisoned dependency compromises an entire operation.
Organizations working in the crypto, fintech, and DeFi spaces should also assume that staff may be targeted with tailored social engineering, including fake meeting invitations, job offers, or incident alerts. Training employees to recognize unusual requests to run commands, share seed phrases, or install unfamiliar software is becoming as important as technical defenses. In tandem, monitoring for anomalous outgoing connections or unusual clipboard and process activity can help detect modular malware like OkoBot before it completes data exfiltration.
From the attacker’s perspective, modular architectures like OkoBot represent a flexible investment. Individual components can be updated, swapped, or expanded as new wallet technologies, exchanges, and tools appear. This adaptability means such operations can persist for long periods, quietly harvesting credentials until they are discovered and disrupted. Users and companies should therefore expect similar toolkits to continue emerging, each iteration more stealthy and better tailored to modern crypto workflows.
Ultimately, the exposure of OkoBot serves as a reminder that securing digital assets is not just about choosing the right wallet or exchange-it is about protecting the entire environment in which those tools are used. As long as attackers can convince users to run untrusted commands, enter recovery phrases into fake interfaces, or install tainted software, even the strongest cryptography can be sidestepped. Proactive hygiene, skepticism toward unsolicited prompts, and a clear separation between secure and everyday computing environments are now essential for anyone operating in the cryptocurrency ecosystem.
