Kaspersky Flags "OkoBot" Malware Framework Aimed at Crypto Investors
AI Market Summary
Kaspersky's disclosure of OkoBot and SlowMist's report of recruiter-style LinkedIn lures highlight an escalation in social-engineering malware targeting crypto wallets and Web3 developer keys via compromised GitHub workflows. The news raises near-term operational and custody risk across the ecosystem, potentially dampening risk appetite and increasing scrutiny of wallet security, developer tooling, and dependency hygiene until mitigations and attribution become clearer.
Impact level
● Medium
Affected assets
BTC/USDT+1.32%
AI Insight · BTC/USDTAI Insight
▼ Bearish
Trade now
⚠️ AI-generated insights are based on news content and are provided for informational purposes only. They do not constitute investment advice or represent the views of BingX. Investing involves risk. Please trade responsibly.
Odaily Planet Daily reported that cybersecurity firm Kaspersky has identified a new malware framework dubbed "OkoBot" that is targeting cryptocurrency investors through social-engineering lures and GitHub apps compromised with malicious code. The malware can steal crypto wallet files, browser data and user credentials, inject malicious extensions, and capture wallet-application windows to drain assets. Kaspersky said it has detected multiple attacks linked to the malware family since January 2026.
Kaspersky added that OkoBot traces its origins to TookPS, first spotted in 2025, which previously spread trojan downloaders via fake software websites.
In a separate disclosure, cybersecurity firm SlowMist warned of a renewed campaign aimed at Web3 developers using forged LinkedIn job opportunities. Attackers posing as Web3 recruiters direct targets to fake GitHub repositories, enticing them to pull code, install dependencies and run projects, ultimately exfiltrating project keys, cloud credentials or wallet-extension data.