Kaspersky Uncovers OkoBot Malware Framework Targeting Crypto Investors
Cybersecurity firm Kaspersky has identified a new malware framework, 'OkoBot,' designed to target cryptocurrency investors and Web3 developers. This threat employs social engineering and trojanized GitHub apps to steal wallet data and personal credentials.

The rise of cryptocurrency markets has unfortunately been accompanied by a surge in cyberattacks targeting digital assets. Cybersecurity firm Kaspersky recently unveiled 'OkoBot,' a sophisticated new malware framework specifically engineered to target cryptocurrency investors and Web3 developers. This threat leverages social engineering tactics and trojanized GitHub applications to pilfer users' assets and sensitive data.
According to Kaspersky's report, OkoBot initiates its infection chain through social engineering methods like 'ClickFix,' which tricks users into executing malicious commands, or via trojanized GitHub apps that deliver a backdoor to infected devices. The malware is capable of harvesting cryptocurrency wallet files, browser data, and user credentials. It can also inject malicious extensions and hijack wallet application windows to steal assets. OkoBot operates as an extensible framework, comprising over 20 malicious payloads and implants, including TookPS (for exfiltrating seed phrases), OkoSpyware (for monitoring Chromium-based browsers and deploying the Rilide info-stealer), and SeedHunter (for injecting phishing pages into hardware wallet applications like Trezor Suite, Ledger Wallet, and Ledger Live).
This malware framework is an evolution of a previous campaign, 'TookPS,' first identified in 2025, which distributed Trojan downloaders through fake software websites. It also follows a campaign dubbed 'GitVenom' in February 2025, which stole Bitcoin (BTCUSD) and sensitive credentials using fake GitHub repositories. During the GitVenom campaign, attackers were observed stealing approximately 5 BTC (worth around $485,000 at the time) in November 2024. The OkoBot operation itself has been actively affecting hundreds of victims since January 2026 and remains ongoing as of July 2026.
The OkoBot campaign has impacted hundreds of victims across more than 25 countries, with Brazil, Vietnam, Canada, Mexico, and Türkiye experiencing the highest number of detections. Attackers have also targeted Web3 developers through fake LinkedIn recruitment opportunities, sending them deceptive GitHub repositories that claim to contain a minimum viable product (MVP) to be tested before an interview. This workflow mimics a legitimate technical interview process, involving code pulling, dependency installation, and project launching, making the attack difficult to detect. Such attacks can lead to the theft of project keys, cloud credentials, or wallet extension data.
The inherent nature of the cryptocurrency market, where on-chain transfers are fast and effectively irreversible, creates a short, high-value window for cybercriminals to exploit. While Kaspersky researchers have not attributed OkoBot to a specific known cybercrime group, they noted that the malware servers blocked connections from Russia and CIS countries, and some parts of the code contained Russian-language comments. Such attacks underscore the continuous need for vigilance regarding the security of digital assets.
Cybersecurity experts are issuing crucial warnings to crypto investors and developers. Users are advised never to enter a seed phrase using a PC keyboard, to avoid executing third-party scripts from the internet, and to regularly check their systems for hidden Remote Desktop Protocol (RDP) access. Furthermore, exercising caution with suspicious emails, messages, or downloads, only downloading software from trusted sources, and enabling two-factor authentication (2FA) are fundamental security measures that remain paramount. Market expectations suggest that cybersecurity threats will continue to be a long-term risk for the crypto ecosystem.
Related Symbols
₿ Want to ride this crypto move?
Open an account in minutes. Compare brokers offering crypto and start investing today — zero commission options available.
Comments (0)
No comments yet. Be the first to comment!

