Kaspersky exposes OkoBot’s 20-module crypto wallet attack
Kaspersky says it uncovered OkoBot, a malware operation that has been active for more than a year and is built to steal crypto wallet recovery phrases and other credentials. In crypto, that’s not a nuisance, that’s wallet demolition.
- About 20 modules.
- Seed phrases were the main target.
- Victims were identified in five countries.
- ClickFix tricks users into running the payload themselves.
According to Kaspersky, OkoBot affected users in Brazil, Vietnam, Canada, Mexico, and Turkey. The malware was distributed through GitHub repositories, disguised as legitimate software including Microsoft SQL Server Management Studio, and pushed with a social-engineering method known as ClickFix.
ClickFix is a particularly ugly scam because it doesn’t always rely on a victim downloading an obviously malicious file. Instead, it often shows fake instructions that tell the user to copy and run a command to “fix” a problem or verify something. The user thinks they’re repairing the issue. In reality, they’re opening the door for the attacker. Efficient? Yes. Ugly? Absolutely.
The core threat is simple. If attackers get a seed phrase, also called a recovery phrase, they can usually take over the wallet outright. In self-custody, that phrase is the master key. Lose it, and you don’t have a “forgot password” button. You have a very bad day and possibly an empty wallet.
Why seed phrase theft is so dangerous
A seed phrase is the set of words used to restore access to a non-custodial crypto wallet. It should be kept offline and private because anyone who has it can generally recreate the wallet and move the funds.
That makes seed phrase theft much worse than a normal password leak. A stolen password may open an account. A stolen recovery phrase can mean total control.
Kaspersky’s reporting says OkoBot uses roughly 20 modules, which is cybercrime’s version of “why settle for one hammer when you can bring a full toolbox of misery?” The module names described in the reporting point to a fairly direct theft pipeline:
- SeedHunter shows a fake recovery interface tied to hardware wallets such as Ledger and Trezor.
- MC Keylogger records keyboard input and monitors clipboard activity.
- OkoSpyware tracks wallet passwords and records activity from open windows.
That combination is dangerous because it attacks the whole chain of human error: fake the prompt, capture the typing, watch the clipboard, and quietly harvest whatever sensitive data the victim exposes. No need to “break” encryption if you can simply persuade someone to hand over the keys.
Hardware wallets still matter. They keep private keys offline, which is a major security improvement over leaving funds on a hot wallet or exchange account. But hardware wallets are not magic shields. If a user types a recovery phrase into a fake screen or runs malicious commands on the machine they use alongside the device, the hardware wallet cannot save them.
GitHub abuse and the trust problem
One of the more annoying realities of modern malware is how normal it can look. GitHub is a legitimate code-hosting platform, but attackers abuse it because people trust it by default. A repository that looks like a routine tool can slip past suspicion far more easily than a random executable from a sketchy website.
That matters because familiarity lowers defenses. If the page looks boring, official, or vaguely enterprise-grade, many users click first and check later. Malware authors know this. They rely on it.
The disguise as Microsoft SQL Server Management Studio is especially cynical because it borrows the reputation of boring, familiar software. That’s often the point: nobody gets excited about database admin tools, which makes them excellent camouflage for a scam.
According to Kaspersky, the operators also blocked IP addresses from Russia and other Commonwealth of Independent States countries. That kind of geo-blocking is often used to avoid attracting attention from local law enforcement or from familiar network ranges. It doesn’t prove anything by itself, but it is a familiar habit in cybercrime operations.
Why ClickFix keeps showing up in crypto attacks
OkoBot is not happening in a vacuum. ClickFix-style social engineering has been showing up in other crypto-related intrusions too, which is exactly why defenders should treat it as a pattern instead of a novelty.
In April, crypto.news reported that CertiK said Lazarus Group used ClickFix-style tactics in a macOS campaign called “Mach-O Man.” That does not connect Lazarus to OkoBot. It does, however, show that this method is becoming a recurring part of the threat toolkit.
In May, crypto.news reported on TrapDoor, a separate malware campaign distributed through poisoned software packages. According to that reporting, TrapDoor targeted developers in cryptocurrency, decentralized finance, artificial intelligence, and security infrastructure, and went after data tied to Coinbase, Binance, MetaMask, Brave, Solana, Sui, and Aptos.
TrapDoor also used hidden prompts to manipulate Claude and Cursor, which is another reminder that attackers are happy to abuse whatever tools developers trust. Package managers, AI assistants, code editors, chat interfaces, if it sits in the workflow and can be twisted into granting access, someone will try.
That broader pattern matters because the real story is not just “some malware exists.” It’s that crypto crime has become more modular, more patient, and more professional. The attack surface is no longer just wallets. It’s browser sessions, developer machines, API keys, cloud credentials, GitHub tokens, package registries, and any user prompt that can be manipulated into doing the attacker’s job for them.
What crypto users and builders should take from this
For everyday users, the biggest lesson is painfully basic: never enter a seed phrase into a website, pop-up, support window, installer, or “verification” screen. A legitimate wallet provider will not ask you to paste your recovery phrase into a random prompt so it can “fix” your account.
If something asks you to run a command to repair a wallet issue, stop and verify it from an official source through a separate channel. Better yet, use a clean device for wallet setup and keep the recovery phrase offline from day one. That’s not paranoia. That’s basic survival.
For developers, the warning is even sharper. A compromised machine can expose API keys, SSH access, cloud credentials, signing access, repository permissions, and other secrets that attackers can use to spread further. In crypto, one infected laptop can become a doorway into projects, infrastructure, and funds.
That is why modular malware is such a pain. One module steals passwords, another watches the clipboard, another captures screen activity, and another may be there to keep persistence or evade detection. Defenders are not fighting one neat little payload. They’re fighting a toolkit designed to keep finding new ways in.
The uncomfortable truth is that self-custody is powerful, but it is unforgiving. Decentralization removes the middleman, which is the point. It also removes the safety net, which is the part people tend to forget until the seed phrase is gone and the funds are already moving.
Key takeaways
-
What is OkoBot targeting?
Kaspersky says it targets crypto wallet recovery phrases and other credentials. That’s the worst possible target, because a stolen seed phrase can hand over full wallet control. -
Why is ClickFix so effective?
It tricks victims into running malicious commands themselves, often by pretending to be a repair or verification step. That bypasses a lot of the usual warning signs. -
Why does GitHub abuse matter?
Because legitimate platforms can be turned into malware distribution channels. A familiar repository or software name can lower suspicion fast. -
Can a hardware wallet still be compromised?
Yes. Hardware wallets protect private keys, but they do not protect users from seed-phrase theft or from running malicious commands on a compromised machine. -
Can stolen crypto be recovered?
Usually not, because blockchain transfers are generally irreversible. Recovery is rare, though exchange intervention, law enforcement tracing, or attacker mistakes can sometimes help. -
Why mention Lazarus Group and TrapDoor?
They show that similar tactics keep recurring across separate campaigns. That is context, not attribution, a sign of a broader playbook, not proof that the groups are linked.
OkoBot is a blunt reminder that the most effective crypto attacks often don’t need to “break” the chain. They just need to fool the person using it. The shift from crude phishing to modular malware, fake installers, and command-line trickery is the real story here. The chain may be decentralized. Human behavior is still gloriously central.
Further reading
A few related angles on wallet theft, scam tactics, and recovery-phrase abuse.
- Binance Square post on the reported incident
- Hackread: OkoBot malware, ClickFix, and hidden browser activity
- Kaspersky uncovers a crypto scam built around fake seed phrases
- Kaspersky report on scammers dupe scammers with fake seed phrases
- Jupiter Exchange backlash over a seed phrase demand for ASR rewards