Global cybersecurity firm Kaspersky has identified a malware framework called OkoBot that targets crypto users by stealing wallet seed phrases, credentials and other sensitive data through a collection of more than 20 malicious components.
The campaign, first identified in January 2026, has compromised hundreds of victims across more than 25 countries, with Brazil, Vietnam, Canada, Mexico and Türkiye among the most affected.
During the investigation, researchers found that attackers distribute the malware through ClickFix social engineering schemes and fake software downloads hosted on GitHub, allowing the framework to infect devices and deploy additional malware, including the Rilide browser stealer.
The…






