KanalCoin Logo
BTC$64,004.93+1.93%
ETH$1,839.97+1.47%
USDT$1.00+0.03%
BNB$569.49+2.00%
USDC$1.00+0.01%
XRP$1.09+1.26%
SOL$74.68+1.36%
TRX$0.32+0.30%
HYPE$58.61-1.81%
DOGE$0.07+1.09%
BTC$64,004.93+1.93%
ETH$1,839.97+1.47%
USDT$1.00+0.03%
BNB$569.49+2.00%
USDC$1.00+0.01%
XRP$1.09+1.26%
SOL$74.68+1.36%
TRX$0.32+0.30%
HYPE$58.61-1.81%
DOGE$0.07+1.09%
News

Kaspersky Identifies Malware Framework Targeting Crypto Investors

Scott Chamberlin
Scott Chamberlin
Contributor
Published Jul 18, 2026
3 min read
Kaspersky Identifies Malware Framework Targeting Crypto Investors
Featured image: Kaspersky Identifies Malware Framework Targeting Crypto Investors
Summary

Kaspersky said on July 15, 2026 that OkoBot uses the TookPS component to exfiltrate seed phrases and a new OkoSpyware module to monitor Chromium-based browsers and deploy additional malware, including the Rilide stealer, according to the company's announcement .

Kaspersky has identified a malware framework targeting crypto investors, warning that the OkoBot operation steals wallet seed phrases and browser data from cryptocurrency users and remains active across more than 25 countries.

TL;DR KEY POINTS

  • Kaspersky says the OkoBot framework uses TookPS to exfiltrate seed phrases and an OkoSpyware module to monitor Chromium-based browsers.
  • The campaign has hit hundreds of victims in more than 25 countries and was still active as of July 2026.
  • Seed-phrase phishing pages are injected into Trezor and Ledger wallet software, placing self-custody users directly at risk.

What Kaspersky identified in the malware campaign

Kaspersky said on July 15, 2026 that OkoBot uses the TookPS component to exfiltrate seed phrases and a new OkoSpyware module to monitor Chromium-based browsers and deploy additional malware, including the Rilide stealer, according to the company’s announcement. For related coverage, see Docker API Misconfigurations Exploited for Crypto Mining.

The security firm describes OkoBot as an extensible framework rather than a single tool. Its technical research says the operation bundles more than 20 malicious payloads and implants and was still active at the time of publication. For related coverage, see Fake Crypto Wallet Apps on Apple App Store Can Drain Assets: Report.

Payload count
Verified by Kaspersky’s Securelist report as more than 20 malicious payloads and implants inside the OkoBot framework.

Kaspersky researcher Dmitry Galov said the campaign has run for more than a year and remained ongoing as of July 2026, underscoring that this is a maintained operation rather than a one-off incident. The framework is designed primarily to compromise people who hold and move digital assets, which is why crypto investors are the named target group.

Why crypto investors may be vulnerable to this threat

Crypto investors are attractive to attackers because they interact daily with wallets, exchange logins, token links, and desktop or browser tools, and because on-chain transfers are fast and effectively irreversible once signed. That combination gives threat actors a short, high-value window to cash out.

Seed-phrase phishing inside wallet software

Kaspersky’s research says a component called SeedHunter injects into Trezor Suite, Ledger Wallet, and Ledger Live to display hard-coded recovery pages that trick users into re-entering their seed phrases. That mirrors earlier campaigns such as the SparkKitty trojan found inside crypto apps and the Stealka malware distributed through game mods, both of which chased the same prize: wallet credentials.

Trojanized software as the delivery route

BleepingComputer confirmed that one malicious GitHub repository posed as SQL Server Management Studio but actually dropped a trojanized Audacity build, in its coverage of the framework. Fake installers remain a recurring theme, echoing reports of fake wallet apps that can drain assets after users trust a lookalike download.

What this means for the crypto market and user security

Kaspersky said the campaign has already targeted hundreds of victims across more than 25 countries, with the highest concentrations of affected users in Brazil, Vietnam, Canada, Mexico, and Türkiye.

Victim footprint
25+
Kaspersky’s research says the operation hit hundreds of victims in more than 25 countries.

A trust problem, not a price event

Incidents that target self-custody hardware wallets strike at the trust layer of crypto participation, since Trezor and Ledger devices are marketed as the safest way to hold assets. When that assurance is undermined by injected phishing pages, the reputational cost extends to exchanges and wallet providers, not just individual victims. Similar concerns followed the 3CX supply-chain compromise linked to a suspected crypto plot.

The broader market backdrop is already cautious, with the Fear & Greed Index reading 25, or Extreme Fear, at press time. Security reporting on OkoBot has stayed concentrated in cybersecurity channels rather than triggering a visible price reaction.

Immediate takeaway for users

The practical defense signaled by Kaspersky’s report is straightforward: never enter a seed phrase into a page prompted by desktop or browser software, and download wallet and developer tools only from verified official sources. With OkoBot still active, that operational caution is the most concrete step available to holders right now.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.

Suggested Reads

More »