
Kaspersky Reveals OkoBot Malware Targeting Crypto Wallets Across Five Countries
Security firm Kaspersky exposed OkoBot, a year-old malware operation using 20 modules to steal cryptocurrency wallet recovery phrases from users across at least five countries. The threat remains active and has evaded detection through modular design and persistence techniques.
Key Takeaways
- 1## The Threat Kaspersky researchers identified OkoBot, a modular malware family that has targeted cryptocurrency users for over a year across at least five countries.
- 2The operation uses approximately 20 distinct modules to extract wallet recovery phrases and other sensitive data, according to Kaspersky's analysis.
- 3The malware's modular architecture allows operators to deploy specific components based on target profiles, reducing detection surface and maximizing persistence.
- 4## How It Works OkoBot's primary objective is theft of seed phrases and private keys from cryptocurrency wallets.
- 5The malware achieves this through a combination of information-stealing modules, persistence mechanisms, and anti-analysis capabilities.
The Threat
Kaspersky researchers identified OkoBot, a modular malware family that has targeted cryptocurrency users for over a year across at least five countries. The operation uses approximately 20 distinct modules to extract wallet recovery phrases and other sensitive data, according to Kaspersky's analysis. The malware's modular architecture allows operators to deploy specific components based on target profiles, reducing detection surface and maximizing persistence.
How It Works
OkoBot's primary objective is theft of seed phrases and private keys from cryptocurrency wallets. The malware achieves this through a combination of information-stealing modules, persistence mechanisms, and anti-analysis capabilities. By compartmentalizing functionality across modules, the attackers can update tactics and evade endpoint detection tools that rely on behavioral signatures tied to specific payload chains.
Detection and Response
Kaspersky's disclosure includes indicators of compromise and technical details sufficient for other security vendors to develop detection signatures. The firm has not disclosed the specific distribution vector or named the countries affected, but the multi-year operational tenure and cross-border targets suggest the operation maintains reliable access chains—likely through phishing, malicious downloads, or compromised software repositories. Users with cryptocurrency holdings should verify wallet integrity and consider hardware security modules for seed phrase storage.
Why It Matters
For Traders
Verify wallet software integrity and recovery phrase storage before moving assets; OkoBot's year-long operation suggests broad distribution channels remain active.
For Investors
Wallet security infrastructure gaps remain a systemic risk to asset custody; malware sophistication and modularity reflect growing adversary maturity in the space.
For Builders
Hardware wallet manufacturers and recovery-phrase backup services should review their isolation techniques; software wallet teams should implement anti-tampering and keylogging detection.





