In short: On 15 July 2026 Kaspersky's GReAT team revealed OkoBot — a modular malware framework that has been quietly stealing cryptocurrency and personal data for over a year. It carries 20+ modules that lift passwords, browser data and, most dangerously, crypto wallet seed phrases by faking Ledger and Trezor recovery screens. It spreads through GitHub and social engineering, has hit 25+ countries, and mainly targets developers and IT specialists. Updating nothing fixes it — the defence is discipline: never type a seed phrase into any window, and install software only from official sources.
What happened
On 15 July 2026, the Global Research and Analysis Team (GReAT) at Kaspersky published its findings on OkoBot, a malicious platform built to steal cryptocurrency and user data. According to the company the campaign has run for more than a year and is still active. Researchers noted Russian-language artifacts in the code that may point to the operators' origin. The disclosure was reported the same day by CNews and iXBT, alongside Kaspersky's own Securelist writeup.
What makes OkoBot notable is not a single clever exploit but its scale and patience: a modular "framework" that operators assemble to fit each victim, aimed above all at people who hold crypto and at the developers who build the tools around it. If you keep funds in a wallet — hot or hardware — this one is worth understanding.
How OkoBot works
OkoBot is built from more than 20 interchangeable modules. Together they can harvest saved credentials, install malicious browser extensions, log keystrokes and record what the user does on screen — a full surveillance and theft kit. But its signature trick targets crypto directly.
One module quietly watches for the launch of hardware-wallet apps for Trezor and Ledger. The moment you open one, it pops up a fake "recovery" or "restore access" screen that looks like the real thing and asks for your seed phrase. Hand it over and the attackers have everything they need to drain the wallet — no need to break the hardware device's own security, because you typed the master key straight into their window. Real Ledger and Trezor apps never ask you to re-enter your recovery phrase on screen, which is exactly why this lure is so effective against people who don't know that rule.
How it spreads — and who it targets
Infection relies on social engineering rather than any single vulnerability. Kaspersky describes two main routes: the ClickFix scheme, where a page tricks you into copying and running a command "to fix" a fake error, and GitHub, where the malware is published disguised as legitimate software or developer tools. Attack attempts have been recorded in more than 25 countries, including Brazil, Vietnam, Canada, Mexico and Turkey.
Crucially, GReAT says a primary target is developers and other IT specialists — people who routinely pull code and tools from GitHub and are used to running unfamiliar scripts. That trust is the attack surface. The same reflexes that make a developer productive are what OkoBot is designed to exploit, which is why "it looked like a normal repo" is no defence.
Why this is dangerous for your data
Crypto theft is irreversible: once a seed phrase leaks and a wallet is emptied, there is no bank to call and no transaction to reverse. But OkoBot's reach goes well beyond coins. With keylogging, credential theft and browser-extension implants running together, it can also capture the passwords and sessions you use for mail, work portals and banking — and quietly feed a wider profile of you. The more of your credentials already circulate from past breaches, such as the billion-record infostealer leak we reported, the easier it is to chain one compromise into another.
How to protect yourself
Never type your seed phrase into any window or website. A recovery phrase is entered only on the hardware wallet device itself, never in a desktop or browser pop-up. If any app or page asks for it, that is the attack — close it.
Install software only from official sources. Treat GitHub downloads and "handy tools" with suspicion: check the publisher, the repository history and stars, and prefer official vendor sites. Never paste-and-run a command a web page tells you to, which is the whole ClickFix trap.
Keep credentials in a password manager with two-factor authentication. Unique passwords and 2FA limit how far an attacker travels with whatever they manage to steal, and make the passwords harvested by a keylogger far less reusable.
Encrypt your connection on untrusted networks. A VPN does not remove malware from an infected machine — only careful habits and security software do that. What it does is close a different door: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so no one else on the network can intercept the logins and sessions you send to exchanges, banking or mail. Think of it as one layer among several — see how we protect data in online services. LiMP VPN is a no-logs service for iOS and Android — explore the features and plans, and more security news on our blog.
Do I need to worry if I don't own crypto?
Partly. The seed-phrase module only pays off against wallet owners, but the rest of OkoBot — keylogger, credential stealer, browser-extension implant — threatens anyone. If it lands on your machine it can lift the passwords and sessions you use every day. The defensive habits are the same for everyone: install from official sources, distrust unexpected "fix this" prompts, and keep your accounts behind a password manager and 2FA.
Sources
This report is based on the OkoBot disclosure by Kaspersky GReAT (Securelist), 15 July 2026, as reported by iXBT and CNews, July 2026.
