According to Bits.media, Kaspersky security researchers discovered malware OkoBot, which has been active for over one year and uses approximately 20 modules to steal cryptocurrency wallet seed phrases and credentials. The attackers employ ClickFix social engineering techniques to deceive users into running malicious commands and distribute the malware through GitHub repositories disguised as legitimate tools such as SQL Server Management Studio. Key modules include SeedHunter, which injects hardware wallets like Trezor and Ledger and displays fake recovery interfaces; MC Keylogger, which records keyboard and clipboard activity; and OkoSpyware, which tracks wallet passwords and records window video. Once attackers obtain seed phrases, they gain complete control of victims' crypto assets.
Most victims are distributed across Brazil, Vietnam, Canada, Mexico, and Turkey. The attackers have implemented geographic blocks against IP addresses in Russia and Commonwealth of Independent States countries.