Перейти к содержанию

Wallet opened with a fake key: OkoBot steals seed phrases from cryptocurrency owners

The platform monitors the keyboard, records the screen, and installs dangerous browser extensions

Kaspersky Lab experts have discovered OkoBot – a platform consisting of more than 20 modules for stealing cryptocurrency and wallet data. It intercepts passwords and keystrokes, records what happens in the application window, and installs malicious browser extensions.

Attackers convince people to run a dangerous command themselves or place infected files on GitHub disguised as regular programs. One of the lures was an installer for a Microsoft database tool.

The SeedHunter module is particularly dangerous. It monitors the launch of Trezor Suite, Ledger Wallet, and Ledger Live, and then displays a fake recovery window. If a seed phrase is entered there, criminals gain access to crypto assets.

Infection attempts have been made against hundreds of users in more than 25 countries, but most often they occurred in Brazil, Vietnam, Canada, Mexico, and Turkey. This campaign has been ongoing for over a year and is still active. Who is behind the attacks is unknown: researchers found Russian-language traces, but this is not enough for accurate conclusions.

Read more on the topic: