Security Company: Malware OkoBot Steals Cryptocurrency Wallet Recovery Phrases, Users in Multiple Countries Affected
According to Bits.media, Kaspersky security researchers have discovered new malware OkoBot, which steals cryptocurrency wallet recovery phrases and credentials through about 20 modules. Attackers use ClickFix social engineering techniques to trick users into executing malicious commands and spread the malware through GitHub repositories disguised as legitimate tools like SQL Server Management Studio.
OkoBot's modules include: SeedHunter, which injects into hardware wallets like Trezor and Ledger, displaying a fake interface when recovering recovery phrases; MC Keylogger, which records keyboard and clipboard activity; and OkoSpyware, which tracks wallet passwords and records window videos.
Once attackers obtain the recovery phrases, they can gain complete control over the victim's cryptocurrency assets, making it nearly impossible to recover the funds. Kaspersky stated that OkoBot has been active for over a year, with most victims located in Brazil, Vietnam, Canada, Mexico, and Turkey. Attackers have also implemented geographical blocking on IP addresses from Russia and CIS countries.






