Kaspersky's 'OkoBot' Threat: A New Mirage for Crypto Investors?

Cybersecurity firm Kaspersky has identified a new malware framework called 'OkoBot' targeting cryptocurrency investors through social engineering tactics and trojanized GitHub apps. The malware initiates an infection chain using methods like ClickFix, which tricks users into executing malicious commands, followed by deploying a backdoor to harvest crypto wallet files, browser data, and credentials. It also injects malicious extensions and captures wallet application windows to steal assets. Since January 2026, multiple attacks linked to this malware family have been detected. OkoBot evolved from the 'TookPS' campaign, first identified in 2025, and uses an SSH tunnel to orchestrate 20 malicious payloads remotely.
SlowMist emphasized that such attacks are not isolated, with hackers increasingly leveraging recruitment, code reviews, and collaboration scenarios to trick developers into running malicious code. Additionally, a macOS-focused campaign was reported, aiming to steal credentials and hijack Telegram sessions to redirect investors to phishing sites.
Berk Arıcan Note: The crypto ecosystem faces a critical vulnerability in user security. Frameworks like OkoBot pose risks beyond technical flaws, exploiting psychological manipulation. Combined with token unlock risks and liquidity leaks, such vulnerabilities could trigger significant market volatility. Investors must avoid sharing seed phrases and exercise caution with open-source projects.