OkoBot hardware-wallet phrase theft campaign
Campaign
Summary
Hide ▲
Show ▼
An active OkoBot campaign is driving hundreds of victimizations across more than 25 countries, showing broad coordinated malware activity. The operation uses overlapping delivery paths and payloads, including SeedHunter seed-phrase theft against Windows wallet users. Its reach across Brazil, Vietnam, Canada, Mexico, and Türkiye points to sustained multi-region targeting with wallet-theft and credential-theft risk.
Related Happenings
OkoBot Windows malware framework with SeedHunter wallet phrase theft
Malware Activity
H score31
First: 15.07.2026 18:30
Last: 15.07.2026 18:30
Sources 1
How related:
A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase.
About this happening:
The **OkoBot** malware framework is actively running on **Windows** and using **SeedHunter** to steal hardware wallet recovery phrases, putting wallet owners and endpoint data at...
OkoBot Windows malware framework with SeedHunter wallet phrase theft
Malware ActivityHow related: A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase.
About this happening: The **OkoBot** malware framework is actively running on **Windows** and using **SeedHunter** to steal hardware wallet recovery phrases, putting wallet owners and endpoint data at...
Ghost Networks crypto-clipper promotion campaign
Campaign
H score15
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
**Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Ghost Networks crypto-clipper promotion campaign
CampaignAbout this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...
Rust-based clipboard hijacker that swaps wallet addresses
Malware Activity
H score10
First: 17.06.2026 21:14
Last: 17.06.2026 21:14
Sources 1
About this happening:
The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
Rust-based clipboard hijacker that swaps wallet addresses
Malware ActivityAbout this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...
FakeWallet crypto wallet phishing campaign targeting users in China
Campaign
H score14
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
FakeWallet crypto wallet phishing campaign targeting users in China
CampaignAbout this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...
Latest development: 24.04.2026 14:48
Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
H score8
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
Timeline
-
15.07.2026 18:30 2 articles · 1h ago
Kaspersky details OkoBot seed-phrase theft against Ledger and Trezor users
Initial DisclosureKaspersky's GReAT team disclosed the OkoBot framework running on Windows machines since April 2025 and described SeedHunter, a module that injects fake recovery-phrase pages into Ledger Live, Ledger Wallet, and Trezor Suite to steal wallet recovery phrases. The telemetry covered hundreds of victims across more than 25 countries, with the largest share of attacked users in Brazil, Vietnam, Canada, Mexico, and Türkiye, and the delivery paths included ClickFix lures and trojanized GitHub software that deploy TookPS.
Show sources
- OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps — thehackernews.com — 15.07.2026 18:30
- OkoBot Malware Framework Injects Seed Phrase Phishing Into Ledger and Trezor Apps — thehackernews.com — 15.07.2026 18:30