The OkoBot malware framework has been active since April 2025, targeting hardware wallet users by injecting phishing pages into legitimate wallet software. Kaspersky reported hundreds of victims worldwide, with a significant concentration in Brazil, Vietnam, Canada, Mexico, and Türkiye, highlighting the threat to cryptocurrency security.
OkoBot is a malware framework identified as active since April 2025, primarily targeting hardware wallet users. Its specific focus is on stealing recovery phrases from hardware wallets such as Ledger and Trezor using legitimate software interfaces. Kaspersky's GReAT team published their findings, noting that many users have fallen victim across more than 25 countries.
OkoBot includes a module named SeedHunter that waits for the specific hardware wallets to be connected. Once detected, it injects a phishing page directly into the wallet's desktop software, requesting the user's recovery phrase. This process takes advantage of the trusted application interface, making it difficult for users to discern the malicious intent.
Kaspersky identified hundreds of victims affected by OkoBot, with the largest number reported in Brazil, Vietnam, Canada, Mexico, and Türkiye. The malware takes advantage of its stealthy operation and familiarity with user interfaces to compromise the security of hardware wallet users without triggering immediate red flags.
OkoBot's techniques are reminiscent of previous malware such as GlassWorm and macOS stealers, which have also employed methods to lure victims into entering sensitive information. However, OkoBot uniquely injects its phishing mechanisms into the active software, retaining the legitimate application's appearance and functionality.
As the cryptocurrency landscape continues to evolve, threats like OkoBot underscore the importance of vigilance when interacting with hardware wallet software. Users are advised to keep their systems updated and to be cautious about phishing attempts that leverage familiar interfaces.
✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →
The OkoBot malware framework has been active since April 2025, targeting hardware wallet users by injecting phishing pages into legitimate wallet software. Kaspersky reported hundreds of victims worldwide, with a significant concentration in Brazil, Vietnam, Canada, Mexico, and Türkiye, highlighting the threat to cryptocurrency security.