Kaspersky has identified OkoBot, a sophisticated malware framework that actively targets cryptocurrency holders by impersonating hardware wallet interfaces and capturing sensitive authentication data. The malware, which has been operating for over a year, has infected hundreds of users across more than 25 countries, according to the security firm's research.
OkoBot employs multiple attack vectors to compromise crypto assets. The malware records screen activity specifically when users interact with cryptocurrency wallets while simultaneously logging keystrokes. It creates fake recovery windows mimicking Ledger and Trezor hardware wallets to trick users into revealing seed phrases—the master keys to cryptocurrency holdings. The malware also covertly installs malicious browser extensions in Chrome and Edge while hiding them from the user's view, and harvests clipboard contents to intercept copied wallet addresses and transaction data.
Once installed, OkoBot grants attackers remote access to infected machines by automatically opening network ports, creating unauthorized user accounts, and establishing persistent SSH tunnels. The malware additionally monitors USB device connections, captures desktop screenshots every five minutes, and records all copied images, creating a comprehensive surveillance toolkit for stealing cryptocurrency credentials and conducting real-time account takeovers through remote desktop protocol (RDP) access.
The campaign represents a significant escalation in malware sophistication targeting the cryptocurrency sector, as OkoBot combines traditional credential-stealing techniques with cryptocurrency-specific attack methods designed to defeat both software and hardware wallet security measures.