OkoBot Malware Targets Cryptocurrency Users to Steal Seed Phrases

OkoBot Malware Targets Cryptocurrency Users to Steal Seed Phrases

First seen 15 Jul 2026, 16:20 UTC GbhackersThehackernews 79% similarity 64.5

Article Content

Browse articles
ThreatCluster

The OkoBot malware framework has been identified as a significant threat to cryptocurrency users, specifically targeting Ledger and Trezor wallets. This multi-stage malware captures sensitive information, including recovery phrases, browser credentials, wallet files, keystrokes, screenshots, and application video recordings. Researchers first detected OkoBot's activity in January 2026, but its TookPS downloader component has been operational since March 2025. The malware injects phishing mechanisms directly into Ledger and Trezor applications, making it particularly dangerous for users of these wallets. The full scope of the impact is still being assessed, but the potential for significant financial loss is high. Users are urged to remain vigilant and implement security measures to protect their assets.

Key Points: • OkoBot malware targets Ledger and Trezor wallets to steal recovery phrases. • The malware has been active since at least March 2025, with detection in January 2026. • Phishing injections into wallet applications increase the risk of credential theft.

ThreatCluster AI

Timeline

2025-03-01
TookPS downloader component becomes active
The TookPS downloader, part of the OkoBot framework, began operations targeting cryptocurrency users.
Gbhackers
2026-01-01
OkoBot malware activity first detected
Researchers observed the OkoBot malware framework targeting users of Ledger and Trezor wallets.
Thehackernews
2026-07-15
OkoBot malware details published
Gbhackers and The Hacker News report on the OkoBot malware framework's capabilities and risks.
Gbhackers

Community

Browse all →