Find notable cyber news and cases, enriched with sources, timelines, and signals.

OkoBot hardware-wallet phrase theft campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

An active OkoBot campaign is driving hundreds of victimizations across more than 25 countries, showing broad coordinated malware activity. The operation uses overlapping delivery paths and payloads, including SeedHunter seed-phrase theft against Windows wallet users. Its reach across Brazil, Vietnam, Canada, Mexico, and Türkiye points to sustained multi-region targeting with wallet-theft and credential-theft risk.

Related Happenings

OkoBot Windows malware framework with SeedHunter wallet phrase theft

Malware Activity
H score31 First: 15.07.2026 18:30 Last: 15.07.2026 18:30 Sources 1

How related: A malware framework called OkoBot has been running on Windows machines since April 2025, and one of its modules is built to con hardware wallet owners out of their recovery phrase.

About this happening: The **OkoBot** malware framework is actively running on **Windows** and using **SeedHunter** to steal hardware wallet recovery phrases, putting wallet owners and endpoint data at...

Ghost Networks crypto-clipper promotion campaign

Campaign
H score15 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: **Unknown threat actor** is running an **active June 2026** campaign that fakes legitimacy to distribute a **Rust-based clipboard hijacker**. The operation uses **bogus GitHub sta...

Rust-based clipboard hijacker that swaps wallet addresses

Malware Activity
H score10 First: 17.06.2026 21:14 Last: 17.06.2026 21:14 Sources 1

About this happening: The **Rust-based clipper** is a **Windows and macOS** malware activity that **replaces copied cryptocurrency wallet addresses** with attacker-controlled destinations. It continuou...

FakeWallet crypto wallet phishing campaign targeting users in China

Campaign
H score14 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** campaign is actively distributing **26 malicious apps** that impersonate crypto wallets and steal **seed phrases**, putting **users in China** at immediate risk...

Latest development: 24.04.2026 14:48

Kaspersky said the FakeWallet campaign is gaining momentum with new tactics, including phishing apps published in the Apple App Store, cold wallet impersonation, and phishing notifications, and suspected it may be the work of threat actors linked to SparkKitty because some infected apps use OCR to steal wallet recovery phrases and the two campaigns share native Chinese-speaking operators and cryptocurrency targeting.

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
H score8 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Timeline

  1. 15.07.2026 18:30 2 articles · 1h ago

    Kaspersky details OkoBot seed-phrase theft against Ledger and Trezor users

    Initial Disclosure

    Kaspersky's GReAT team disclosed the OkoBot framework running on Windows machines since April 2025 and described SeedHunter, a module that injects fake recovery-phrase pages into Ledger Live, Ledger Wallet, and Trezor Suite to steal wallet recovery phrases. The telemetry covered hundreds of victims across more than 25 countries, with the largest share of attacked users in Brazil, Vietnam, Canada, Mexico, and Türkiye, and the delivery paths included ClickFix lures and trojanized GitHub software that deploy TookPS.

    Show sources