Kaspersky has uncovered a modular malware system called OkoBot designed to drain cryptocurrency wallets, steal seed phrases, and harvest sensitive credentials. As of mid-July 2026, the malware has impacted hundreds of victims across more than 25 countries, and the threat remains active.

Malware Complexity and Spread

Unlike simple phishing scripts, OkoBot operates as a full malware framework. It integrates over 20 different malicious payloads and implants, enabling a full attack on endpoints. This setup provides attackers with more than just wallet theft capabilities, including broader data compromise tools. Kaspersky’s research highlights the modularity of the malware, making it much harder to detect and neutralize.

The infection vectors include deceptive techniques such as ClickFix lures and malicious repositories hosted on GitHub, which trick users into executing malicious files. These attack methods contribute to OkoBot’s global reach, affecting victims in a wide array of locations and suggesting a coordinated campaign rather than isolated incidents.

Kaspersky’s report refrains from firmly attributing the malware to any known hacking group but mentions unconfirmed ties to Russian-speaking threat actors. Regardless of its origin, the campaign's scale shows the significant risks faced by cryptocurrency investors globally.

This incident echoes concerns raised by cybersecurity experts over increasingly sophisticated attacks aimed at crypto users, similar to how some North Korean hackers recently impersonated Japanese venture capitalists and banks to steal millions in cryptocurrency.

This material is for informational purposes only and does not constitute financial advice.