Kaspersky Uncovers One of Most Dangerous Crypto-Stealing Bots for Wallet Owners

Thu, 16/07/2026 - 15:09
Learn what not to do to protect your crypto wallet as Kaspersky warns of OkoBot, a dangerous new malware hijacking official apps to drain funds.
Advertisement
Kaspersky Uncovers One of Most Dangerous Crypto-Stealing Bots for Wallet Owners
Cover image via depositphotos.com

Disclaimer: The opinions expressed by our writers are their own and do not represent the views of U.Today. The financial and market information provided on U.Today is intended for informational purposes only. U.Today is not liable for any financial losses incurred while trading cryptocurrencies. Conduct your own research by contacting financial experts before making any investment decisions. We believe that all content is accurate as of the date of publication, but certain offers mentioned may no longer be available.

Google

Experts from Kaspersky's Global Research and Analysis Team (GReAT) warn that hundreds of users across 25 countries are at risk of having their assets stolen as the dangerous OkoBot malware framework targeting cryptocurrency owners entered an active phase. 

Advertisement

Hackers have completely revised their tactics and are now targeting people who believed they were fully protected, analysts note in a new report.

The malware steals funds by intercepting the functions of the official Ledger Live, Ledger Wallet, and Trezor Suite applications and displaying a fake verification window. To avoid falling for this trick, users are advised to strictly follow three key security rules:

HOT Stories
US Nets Just 15% of FTX's Shiba Inu (SHIB) Value; Bitcoin Does What AI Cannot, Binance Founder Explains; 70 Million XRP Lands in Millionaire Whale Wallets - Morning Crypto Report Shiba Inu Adds 60% in Weekly Spot Flows: Explaining What It Means for Price Health
  • Never enter a seed phrase using a PC keyboard
  • Do not execute third-party scripts from the internet
  • Check the system for hidden RDP access

In this campaign, attackers are deliberately targeting IT specialists and software developers. The initial compromise occurs when hackers disguise malware as popular work tools and distribute infected software through GitHub. 

Advertisement
Article image
Fake Ledger and Trezor recovery windows used by OkoBot hackers to siphon seed phrases, Source: Kaspersky's GReAT research (July 15 2026)

In particular, researchers have already discovered the malware inside a fake Microsoft SQL Server Management Studio (SSMS) installer.

At the same time, attackers are using sophisticated ClickFix attacks, a social engineering technique in which users are persuaded to copy and run malicious code in a terminal under the pretext of fixing an unexpected browser error.

What comes next: analysts' forecasts

According to Kaspersky GReAT, since the malware uses a modular structure consisting of more than 20 components, including the Rilide infostealer and the OkoSpyware surveillance module, the geographical reach of the attacks is expected to expand beyond the countries currently reporting the highest number of infections, led by Brazil, Vietnam, Canada, Mexico, and Turkey.

Advertisement

You Might Also Like

New hidden extensions for Chromium-based browsers, including Chrome and Edge, are also expected to emerge. The malware can completely remove these extensions from the visible list of installed add-ons, leaving users unaware of their presence.

The final stage may involve the large-scale sale of access to victims' computers. After establishing persistence in a system, OkoBot secretly creates a new administrator account and opens a permanent SSH tunnel for remote control through RDP.

Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to daily newsletter

Recommended articles

Our social media
There's a lot to see there, too
Advertisement