2 min read

OkoBot steals crypto seed phrases with fake Trezor prompts

Kaspersky says OkoBot has targeted crypto wallet owners in 25+ countries for more than a year using fake Trezor and Ledger recovery windows.

Image: ITzine

Kaspersky GReAT says it has uncovered a malware platform called OkoBot that targets crypto wallet owners by stealing their seed phrases through fake recovery prompts disguised as Trezor and Ledger interfaces. The campaign has been active for more than a year and has already hit hundreds of users in 25+ countries.

That matters because a seed phrase is effectively full access to a wallet. Once it is stolen, there is no rollback.

OkoBot includes more than 20 modules. One of them, OkoSpyware, can capture keystrokes and video from a targeted application window. Another, SeedHunter, watches for launches of Trezor Suite, Ledger Wallet, and Ledger Live. If it detects a connected hardware wallet, it displays a phishing recovery page and asks the victim to enter their secret phrase, typically 12, 18, or 24 words. That is enough to move assets to another address.

The malware spreads in two main ways:

  • through ClickFix tactics, where users are tricked into running a malicious command while supposedly fixing an error
  • through GitHub, where malware is distributed as ordinary tools

During its research, Kaspersky found a fake installer for SQL Server Management Studio, Microsoft’s widely used database administration tool. That makes the campaign especially risky for developers and IT professionals, who are more likely to download utilities, test builds, and scripts from repositories.

Recommended reading

AI won’t replace penetration testers just yet

Kaspersky recorded the highest number of infection attempts in Brazil, Vietnam, Canada, Mexico, and Turkey. The company did not name a specific threat group, but said the code contained Russian-language artifacts, and the techniques have previously been seen among Russian-speaking data theft operators.

For hardware wallet users, the warning is simple: Trezor and Ledger should not suddenly ask for a seed phrase in a pop-up during normal use. If that happens, it is almost certainly not wallet recovery, but an attempt to steal the wallet.

Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via ITzine

// Keep reading