No Result
View All Result
Global Finances Daily
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers
  • Login
Global Finances Daily
No Result
View All Result
Home Crypto

Kaspersky exposes OkoBot’s 20-module crypto wallet attack

July 18, 2026
in Crypto
0
Kaspersky exposes OkoBot’s 20-module crypto wallet attack - 1



Kaspersky has exposed OkoBot, a year-old malware operation that uses roughly 20 modules to steal crypto wallet recovery phrases and has affected users across at least five countries.

Summary

  • Kaspersky uncovered OkoBot using roughly 20 modules to steal crypto wallet credentials.
  • The malware has affected users in Brazil, Vietnam, Canada, Mexico, and Turkey.
  • OkoBot uses fake recovery screens, keylogging, spyware, and ClickFix commands to target victims.

Kaspersky researchers discovered that the malware has remained active for more than a year, according to a report published by Bits.media. Most identified victims were located in Brazil, Vietnam, Canada, Mexico, and Turkey, while the operators blocked IP addresses from Russia and other Commonwealth of Independent States countries.

Distributed through GitHub repositories, OkoBot is disguised as legitimate software, including Microsoft SQL Server Management Studio. Kaspersky found that the attackers rely on the ClickFix social engineering method, which tricks victims into running malicious commands on their own devices.

The technique often presents users with fake error messages, verification steps, or repair instructions. Following those directions causes victims to execute code that installs the malware without realizing the command is malicious.

OkoBot targets seed phrases and wallet credentials

Among OkoBot’s modules, SeedHunter displays a fake recovery interface linked to hardware wallets such as Ledger and Trezor, according to Kaspersky. When users enter their recovery phrases into the fraudulent screen, the module sends the information to the malware operators.

A second module called MC Keylogger records keyboard input and monitors clipboard activity, allowing it to capture passwords, copied wallet addresses, and other credentials. OkoSpyware can track wallet passwords and record videos of open windows, giving attackers another way to observe activity on an infected device.

Once a recovery phrase is exposed, the attackers can use it to take control of the associated wallet and move its assets. Kaspersky warned that victims have little chance of recovering stolen cryptocurrency because blockchain transfers are generally irreversible.

The malware’s modular design also lets its operators collect different types of information from a single infected system. According to the security company’s findings, OkoBot can target both wallet access data and credentials connected to other services used on the device.

ClickFix attacks have also targeted crypto developers

OkoBot is the latest malware campaign found using ClickFix against the cryptocurrency sector. As crypto.news reported in April, North Korea’s state-backed Lazarus Group used the same technique in a macOS campaign known as “Mach-O Man.”

Citing research from CertiK, the report found that Lazarus sent fake online meeting invitations to fintech and crypto executives. Victims were instructed to paste supposed repair or verification commands into the macOS Terminal, which installed malware capable of stealing cryptocurrency and corporate information.

CertiK also found that the Mach-O Man toolkit deleted itself after running, making forensic analysis more difficult. The campaign combined social engineering with terminal-level commands instead of relying only on malicious file downloads.

Developer tools have provided another route into crypto systems. In May, crypto.news reported that TrapDoor malware was distributed through poisoned software packages targeting developers in cryptocurrency, decentralized finance, artificial intelligence, and security infrastructure.

According to that report, TrapDoor sought wallet data, API keys, cloud credentials, and SSH access tied to services and ecosystems including Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos. Researchers also found hidden prompts designed to manipulate Claude and Cursor into running fake security scans that exposed secrets and transmitted them to the attackers.

Editorial Team

Editorial Team

Related Posts

Cointelegraph
Crypto

Kaspersky Uncovers Malware Framework Targeting Crypto Investors

July 18, 2026
Ethereum braces for CLARITY vote as bulls defend crucial support - 1
Crypto

Ethereum braces for CLARITY vote as bulls defend crucial support

July 18, 2026
Bitcoin
Crypto

Bitcoin Drops Below $63,000 As Macro Pressure Returns To Crypto

July 18, 2026
Cointelegraph
Crypto

French Gambling Authority Blocks Polymarket Access

July 18, 2026
What is Lighter? Robinhood's perps DEX
Crypto

Noxa vanishes after fueling Robinhood Chain’s $4B memecoin boom

July 18, 2026
Ethereum
Crypto

Ethereum Rebound Stalls As Policy Uncertainty Cools ETF Excitement

July 18, 2026
Load More
Next Post
Scam victims may owe IRS taxes on stolen money. Here's why

Scam victims may owe IRS taxes on stolen money. Here's why

Popular News

  • A comfortable retirement standard gets people a new small car every three years

    How much does a comfortable retirement cost? New figures reveal what YOU need – and what you’d get

    0 shares
    Share 0 Tweet 0
  • Cynthia Lummis races to save the CLARITY Act before 2030

    0 shares
    Share 0 Tweet 0
  • How to Contact Hilton Customer Service

    0 shares
    Share 0 Tweet 0
  • Where to get high yield on stablecoins in 2025: Top 5 projects

    0 shares
    Share 0 Tweet 0
  • Fintex Capital expands debt origination team

    0 shares
    Share 0 Tweet 0

Latest News

Scam victims may owe IRS taxes on stolen money. Here's why

Scam victims may owe IRS taxes on stolen money. Here’s why

July 18, 2026
0

Vladimir Vladimirov | E+ | Getty ImagesFor victims of fraud, a second financial blow sometimes comes their way — they...

Kaspersky exposes OkoBot’s 20-module crypto wallet attack - 1

Kaspersky exposes OkoBot’s 20-module crypto wallet attack

July 18, 2026
0

Kaspersky has exposed OkoBot, a year-old malware operation that uses roughly 20 modules to steal crypto wallet recovery phrases and...

A massive lettuce recall hits home as local restaurants shake up their salad menus

A massive lettuce recall hits home as local restaurants shake up their salad menus

July 18, 2026
0

Some independent restaurants are throwing out all their bagged lettuce, while others have found ways to keep serving customers their...

ICICI Bank Q1 2027 slides: profit surges 21%, loan growth accelerates

ICICI Bank Q1 2027 slides: profit surges 21%, loan growth accelerates

July 18, 2026
0

ICICI Bank Q1 2027 slides: profit surges 21%, loan growth accelerates

Global Finances Daily

Welcome to Global Finances Daily, your go-to source for all things finance. Our mission is to provide our readers with valuable information and insights to help them achieve their financial goals and secure their financial future.

Subscribe

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Use
  • Editorial Process

© 2025 All Rights Reserved - Global Finances Daily.

No Result
View All Result
  • Alternative Investments
  • Crypto
  • Financial Markets
  • Investments
  • Lifestyle
  • Protection
  • Retirement
  • Savings
  • Work & Careers

© 2025 All Rights Reserved - Global Finances Daily.

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.