Crypto
Home›Crypto›Regulation›Kaspersky flags OkoBot malware targeting crypto invest…
Kaspersky flags OkoBot malware targeting crypto investors via GitHub apps
Kaspersky said it has seen multiple OkoBot attacks since January 2026, and the malware is designed to harvest wallet files, credentials, and browser data.
Kaspersky said it has identified a malware framework, dubbed OkoBot, that targets cryptocurrency investors using social engineering and trojanized GitHub applications. The firm said the infection process can begin with tactics such as ClickFix, which tricks victims into running malicious commands, or with fake GitHub apps that deliver a backdoor to infected devices.
According to Kaspersky, once devices are compromised, OkoBot can harvest crypto wallet files, browser data, and user credentials, and it can also inject malicious browser extensions and capture wallet application windows to steal assets.
Kaspersky added that it found multiple attacks involving the malware family dating back to January 2026. The cybersecurity firm said OkoBot evolved from a prior malware campaign called TookPS, and that it is designed to coordinate 20 malicious payloads via an SSH tunnel to remotely transport data from infected computers to attacker-controlled machines.
Separately, SlowMist reported a different campaign aimed at Web3 developers, using fake LinkedIn recruitment offers that lead to malicious GitHub repositories. SlowMist said the approach imitates a normal technical interview workflow and is intended to deliver a remote access trojan that can steal items such as project keys, cloud credentials, or wallet extension data.