HomeEverythingEducationTV
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

Kaspersky: New Malware 'OkoBot' Targets Crypto Investors

Created at 18 Jul · 11:55 AM1 source↑ Market-relevant
IN SHORT

Kaspersky has identified a new malware framework named OkoBot that targets cryptocurrency investors. The malware uses social engineering tactics to infect devices, steal wallet files, browser data, and credentials, and can inject malicious extensions.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

20malicious payloads orchestrated via SSH tunnel
January 2026earliest identified attacks by OkoBot family
2025year TookPS malware campaign was first identified

Who's Involved

Kaspersky
cybersecurity company that uncovered OkoBot malware
OkoBot
new malware framework targeting crypto investors
TookPS
previous malware campaign from which OkoBot evolved
SlowMist
blockchain security company reporting on Web3 developer campaign

↳ Why This Matters

These evolving malware frameworks pose a significant threat to cryptocurrency investors and Web3 developers by exploiting social engineering and mimicking legitimate workflows to steal digital assets and sensitive credentials.

Key facts

  • Kaspersky has identified a new malware framework named OkoBot targeting cryptocurrency investors.
  • OkoBot initiates infections through social engineering tactics like ClickFix or trojanized GitHub apps.
  • The malware is capable of harvesting crypto wallet files, browser data, and user credentials.
  • It can also inject malicious extensions and capture wallet application windows to steal assets.
  • OkoBot evolved from the 'TookPS' malware campaign, first identified in 2025.
  • A separate campaign targets Web3 developers via fake LinkedIn recruitment using malicious GitHub repositories.

Kaspersky has identified a new malware framework, dubbed OkoBot, that is specifically targeting cryptocurrency investors. The malware employs social engineering tactics, such as the ClickFix tool or trojanized GitHub applications, to initiate its infection chain. Once a device is compromised, OkoBot can harvest sensitive information including crypto wallet files, browser data, and user credentials. It also has the capability to inject malicious browser extensions and capture wallet application windows to facilitate asset theft.

Kaspersky noted that this malware family has been observed in multiple attacks since January 2026. The framework is an evolution of 'TookPS,' a malware campaign first identified in 2025 that distributed a Trojan downloader via fake software websites. OkoBot's distinct feature is its orchestration of all 20 malicious payloads through an SSH tunnel, enabling attackers to remotely transport stolen data.

In a separate development, a new malware campaign is targeting Web3 developers through deceptive LinkedIn recruitment efforts, according to SlowMist. Attackers pose as recruiters and send fake GitHub repositories, presenting them as essential pre-interview tasks. This tactic closely mimics legitimate developer workflows, making it difficult to detect. The malware aims to deliver a remote access trojan to steal project keys, cloud credentials, or wallet extension data from these developers. SlowMist highlighted that attackers are increasingly exploiting scenarios like recruitment and collaboration to trick developers into running malicious code.

Frequently asked questions

OkoBot is a new malware framework identified by Kaspersky that targets cryptocurrency investors by stealing wallet files, browser data, and credentials.

It uses social engineering tactics like ClickFix or trojanized GitHub apps to trick users into running malicious commands or backdoors.

OkoBot can harvest crypto wallet files, browser data, user credentials, and capture wallet application windows to steal assets.

Attackers pose as recruiters on LinkedIn and send fake GitHub repositories, tricking developers into running malicious code that steals project keys and credentials.

What Happens Next

01Further analysis of OkoBot's evolution and capabilities.
02Monitoring of new campaigns targeting Web3 developers and crypto investors.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Kaspersky identified a new malware framework called OkoBot targeting cryptocurrency investors.
OkoBot uses social engineering tactics like ClickFix or trojanized GitHub apps to infect devices.
The malware can steal crypto wallet files, browser data, user credentials, and inject malicious extensions.
OkoBot evolved from the 'TookPS' malware campaign identified in 2025.
All 20 malicious payloads are orchestrated via an SSH tunnel for remote data exfiltration.
Separately, a campaign targets Web3 developers via fake LinkedIn recruitment using malicious GitHub repositories.
This campaign aims to steal project keys, cloud credentials, or wallet extension data from developers.
Attackers are increasingly using scenarios like recruitment and collaborations to trick developers.

Sources

T1
Kaspersky identifies malware framework targeting crypto investorsCointelegraph

Related Stories

FBI arrests man accused of using fake Steam games to steal crypto
17 Jul · 4:51 PM
Abbott investigating two separate cyber incidents
17 Jul · 11:04 PM
David Sacks Warns US Risks Losing AI Race to China Amid Regulatory Concerns
17 Jul · 4:26 PM
China's Kimi K3 AI Model Challenges US Dominance, Offers Open-Weight Performance
17 Jul · 3:46 PM
Nuclear startup Valar Atomics in talks to raise new funding at $6B valuation
17 Jul · 7:56 PM